Critical Infrastructure Protection
Federal Efforts Require a More Coordinated and Comprehensive Approach for Protecting Information Systems Gao ID: GAO-02-474 July 15, 2002Critical infrastructure protection (CIP) involves activities that enhance the security of the nation's cyber and physical public and private infrastructures that are essential to national security, economic activity, and public health and safety. At least 50 federal organizations within 13 major departments and agencies mentioned in Presidential Decision Directive 63 are involved in CIP activities that include setting policy, analyzing vulnerabilities and intelligence information, disseminating alerts and warnings on potential and actual infrastructure attacks, developing remediation plans, responding to incidents, and performing research and development. Although most organizations could identify their relationships with other key CIP entities, relationships among all organizations performing similar activities were not consistently established. Most of the organizations in GAO's review do not receive appropriations specifically designated for cyber CIP and, therefore, do not track these funds. A complicating factor in tracking funds spent on cyber CIP activities is that organizational totals often include funds spent on physical, cyber, and agency-specific CIP spending.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-02-474, Critical Infrastructure Protection: Federal Efforts Require a More Coordinated and Comprehensive Approach for Protecting Information Systems
This is the accessible text file for GAO report number GAO-02-474
entitled 'Critical Infrastructure Protection: Federal Efforts Require a
More Coordinated and Comprehensive Approach for Protecting Information
Systems' which was released on July 15, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products‘ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to the Committee on Governmental Affairs, U.S. Senate:
July 2002:
Critical Infrastructure Protection:
Federal Efforts Require a More Coordinated and Comprehensive Approach
for Protecting Information Systems:
GAO-02-474:
Contents:
Letter:
Results in Brief:
Background:
At Least 50 Federal Organizations Derive Their Cyber CIP
Responsibilities from a Variety of Sources:
Relationships among Cyber CIP Organizations Are Not Consistently
Established:
CIP Funds Are Not Separately Appropriated for Most
Organizations, and Precise Levels of Spending Cannot Be Ascertained:
Conclusions:
Recommendation:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Federal Organizations Involved in National or Multiagency
Cyber CIP Efforts:
Federal Advisory Committees:
Executive Office of the President:
Chief Information Officers Council:
National Communications System:
Federal Communications Commission:
U.S. Department of Commerce:
U.S. Department of Defense:
Director of Central Intelligence:
U.S. Department of Energy:
U.S. Department of Justice:
U.S. Department of Transportation:
Environmental Protection Agency:
Federal Emergency Management Agency:
U.S. General Services Administration:
Department of Health and Human Services:
National Science Foundation:
U.S. Department of State:
U.S. Department of the Treasury:
Appendix III: Components of Executive Departments or Agencies and
Their Primary Activities Related to Cyber CIP:
Appendix IV: Comments from the Department of Justice:
Appendix V: Comments from the Special Advisor to the President for
Cyberspace Security:
Appendix VI: Comments from the Office of Science and Technology Policy:
Appendix VII: Comments from the Federal Emergency Managament Agency:
Appendix VIII: Comments from the Department of State:
Appendix IX: GAO Contact and Staff Acknowledgements:
GAO Contact:
Acknowledgments:
Tables:
Table 1: Observed Threats to Critical Infrastructure:
Table 2: Key Executive Orders, Presidential Decision Directives, Acts,
and Directives That Mention Activities Related to Cyber CIP:
Table 3: Office of Homeland Security Fiscal Year 2002 and 2003 CIP
Funding:
Table 4: Executive Department or Agency Components and Their Primary
Activities Related to Cyber CIP:
Figures:
Figure 1: Information Security Incidents Reported to Carnegie-Mellon‘s
CERT®, Coordination Center: 1990-2001:
Figure 2: Organizations with CIP Responsibilities as Outlined by PDD 63:
Figure 3: Overview of National or Multiagency Federal Cyber CIP
Organizations:
Figure 4: Components of Executive Departments or Agencies and Their
Primary Activities Related to Cyber CIP (as indicated by the Color-
Coded Legend Below):
CIAO: Critical Infrastructure Assurance Office:
CIP: critical infrastructure protection:
DOD: Department of Defense:
ECIE: Executive Council on Integrity and Efficiency :
FBI: Federal Bureau of Investigation:
FedCIRC: Federal Computer Incident Response Center:
FEMA: Federal Emergency Management Agency:
GSA: General Services Administration:
ISAC: information sharing and analysis center:
NIAC: National Infrastructure Assurance Council:
NIPC: National Infrastructure Protection Center:
NIST: National Institute of Standards and Technology:
NSA: National Security Agency:
OMB: Office of Management and Budget:
OSTP: Office of Science and Technology Policy:
PCIE: President‘s Council on Integrity and Efficiency:
PDD: Presidential Decision Directive:
R&D: research and development:
TSA: Transportation Security Administration:
Letter:
July 15, 2002:
The Honorable Joseph I. Lieberman:
Chairman:
The Honorable Robert F. Bennett:
Committee on Governmental Affairs:
United States Senate:
Since the early 1990s, an explosion in computer interconnectivity, most
notably growth in the use of the Internet, has revolutionized the way
that our government, nation, and much of the world communicate and
conduct business. However, this widespread interconnectivity also poses
enormous risks to our computer systems and, more importantly, to the
critical operations and infrastructures they support, such as
telecommunications, power distribution, national defense, law
enforcement, and critical government services. Because potential
adversaries--be they nation-states, cyber terrorist groups, criminal
organizations, or disgruntled insiders--can develop cyber-attack
capabilities to attempt to exploit these risks, it is essential that
our critical infrastructures be adequately protected.
Concerns about computer-based vulnerabilities have been reported
repeatedly during the 1990s. Since 1997--most recently in January
2001--we, in reports to the Congress,[Footnote 1] have designated
information security a governmentwide high-risk area. In addition, in
its October 1997 report,[Footnote 2] the President‘s Commission on
Critical Infrastructure Protection described, from a national
perspective, the potentially devastating implications of poor
information security.
In May 1998, Presidential Decision Directive 63 was issued in response
to the commission‘s report. The directive called for a range of actions
intended to improve federal agency security programs, establish a
partnership between the government and the private sector, and improve
the nation‘s ability to detect and respond to serious computer-based
attacks. Critical infrastructure protection (CIP) involves activities
that enhance the security of our nation‘s cyber and physical public and
private infrastructures that are essential to national security,
national economic security, and/or national public health and safety.
On October 16, 2001, President Bush issued Executive Order 13231,
’Critical Infrastructure Protection in the Information Age,“ which
continues many Presidential Decision Directive 63 activities by
focusing on cyberthreats to critical infrastructures, and also created
the President‘s Critical Infrastructure Protection Board to coordinate
federal cybersecurity efforts.
In response to your request, we reviewed federal organizations involved
in national or multiagency cyber CIP activities. Specifically, our
objectives were to (1) identify the federal civilian, defense, and
intelligence organizations involved in protecting critical
infrastructures from computer-based attacks, and their
responsibilities, current organizational placement, and source of
authority; (2) identify the organizations‘ relationships with each
other; and (3) determine appropriated CIP funds for each organization.
As agreed with your staff, we concentrated on federal organizations
identified in Presidential Decision Directive 63 or Executive Order
13231 that have a national or multiagency cyber CIP focus and did not
address organizations involved solely in CIP activities specific to
their department or agency, such as the agencies‘ critical
infrastructure assurance offices. For example, although organizations
such as the Federal Aviation Administration, the Centers for Disease
Control, the Financial Management Service, and the National Weather
Service are responsible for the security of critical cyber systems,
they do not have national cyber CIP responsibilities outside their
agencies. In addition, other information security organizations that
receive federal funding were not included in our review. Further
details on our objectives, scope, and methodology are provided in
appendix I.
Results in Brief:
At least 50 federal organizations are involved in national or
multiagency cyber CIP activities that include setting policy, analyzing
vulnerabilities and intelligence information, disseminating alerts and
warnings on potential and actual infrastructure attacks, developing
remediation plans, responding to incidents, and performing research and
development. These organizations are primarily located within 13 major
departments and agencies mentioned in Presidential Decision Directive
63. In addition to most of these organizations‘ noting that Directive
63 and Executive Order 13231 were the primary sources dictating their
current cyber CIP roles and responsibilities, many identified other
preexisting laws, directives, and orders that levy related
requirements. Nevertheless, current cyber CIP efforts do not
specifically address all potentially relevant critical infrastructure
sectors or federal agencies. For example, Directive 63 excludes some
key infrastructure areas and their respective federal agencies, such as
those associated with chemical manufacturing and food safety. The chair
of the President‘s Critical Infrastructure Protection Board, as well as
officials from the Critical Infrastructure Assurance Office,
acknowledged that our nation‘s critical infrastructures are currently
being redefined and could be expanded in view of the events of
September 11, 2001. Such an effort is critical to ensuring that we are
comprehensively addressing our nation‘s critical infrastructures.
Although most organizations could identify their relationships with
other key cyber CIP entities, relationships among all organizations
performing similar activities (e.g., policy development or analysis and
warning) were not consistently established. The President‘s Critical
Infrastructure Protection Board is intended to coordinate federal
efforts and programs related to protecting critical infrastructures.
However, an underlying challenge in this coordination is that a
detailed strategy is still being developed. Without a strategy that
identifies responsibilities and relationships for all cyber CIP
efforts, our nation risks not knowing whether we have the appropriate
structure to deal with the growing threat of computer-based attacks on
its critical infrastructure. The President‘s Critical Infrastructure
Protection Board is currently developing a proposed national strategy
in coordination with the private sector. It is essential that this
strategy define the roles, responsibilities, and relationships among
the various federal organizations involved in cyber CIP activities.
Most of the organizations in our review do not receive appropriations
specifically designated for cyber CIP and, therefore, do not have a
process to track these funds. A complicating factor in tracking funds
spent on cyber CIP activities is that organizational totals often
include funds spent on physical, cyber, and agency-specific CIP
spending. A few selected organizations can readily identify their CIP
funding since the majority, and in some cases all, of their operations
are related to such activities. Overall, on the basis of agency input
submitted to the Office of Management and Budget (OMB), the executive
branch estimated that $3.9 billion was requested for CIP for fiscal
year 2003. However, this total involves both physical and cyber CIP,
and detailed breakdowns of these funds are not available. OMB plans to
provide a more detailed breakdown in the future.
We are recommending that when developing the strategy to guide federal
cyber CIP efforts, senior executive branch officials ensure that the
strategy, among other things, includes all relevant sectors, defines
the key federal agencies‘ roles and responsibilities associated with
each of these sectors, and defines the relationships among the key
cyber CIP organizations.
In providing written comments on a draft of this report, the Department
of Justice generally concurred with our findings and recommendations;
the Special Advisor to the President for Cyberspace Security and the
Department of State did not indicate whether they agreed or disagreed;
the Federal Emergency Management Agency requested that we add an
additional organization, and the Office of Science and Technology
Policy (OSTP) disagreed with our statement that none of the R&D
organizations coordinated with them. Specifically, on the basis of
additional information the Federal Emergency Management Agency provided
in an attachment, we added the Office of the Chief Information Officer
and Information Technology Services Directorate and also incorporated
additional technical comments, as appropriate. OSTP stated that it is
inaccurate for us to imply that consultations are not occurring with
the agencies with research and development (R&D); however, when we
asked the R&D organizations who they coordinate with, none indicated
that they coordinated with OSTP, nor did any of these organizations
comment on this statement in our draft report that OSTP took exception
to. We also received oral comments from nine agencies that have been
incorporated into the report, as appropriate. Although the written and
oral comments varied in scope and detail, they were primarily limited
to technical comments on the description of their responsibilities
described in appendix II. We have incorporated these changes in the
report as appropriate. The Department of Transportation had no
comments, and we did not receive comments from the Department of
Commerce.
Background:
The risks associated with our nation‘s reliance on interconnected
computer systems are substantial and varied. By launching attacks
across a span of communications systems and computers, attackers can
effectively disguise their identity, location, and intent, thereby
making them difficult and time-consuming to trace. Such attacks could
severely disrupt computer-supported operations, compromise the
confidentiality of sensitive information, and diminish the integrity of
critical data. A significant concern is that terrorists or hostile
foreign states could launch computer-based attacks on critical systems
to severely damage or disrupt national defense or other critical
operations or steal sensitive data, resulting in harm to the public
welfare. According to the National Security Agency (NSA), foreign
governments already have or are developing computer attack
capabilities, and potential adversaries are developing a body of
knowledge about U.S. systems and about methods to attack these systems.
The threat to these infrastructures was highlighted by the Special
Advisor to the President for Cyberspace Security in a Senate briefing
when he stated that although to date none of the traditional terrorists
groups such as al Qaeda have used the Internet to launch a known
assault on the U.S.‘s infrastructure, information on computerized water
systems was recently discovered on computers found in al Qaeda camps in
Afghanistan. Table 1 summarizes the key threats to our critical
infrastructures.
Table 1: Observed Threats to Critical Infrastructure:
Threat: Criminal groups;
Description: There is an increased use of cyber intrusions by criminal
groups who attack systems for purposes of monetary gain.
Threat: Foreign intelligence services;
Description: Foreign intelligence services use cyber tools as part of
their information gathering and espionage activities.
Threat: Hackers;
Description: Hackers sometimes crack into networks for the thrill of
the challenge or for bragging rights in the hacker community. While
hacking once required a fair amount of skill or computer knowledge,
hackers can now download attack scripts and protocols from the
Internet and launch them against victim sites. Thus, while attack
tools have become more sophisticated, they have also become easier to
use.
Threat: Hacktivists;
Description: Hacktivism refers to politically motivated attacks on
publicly accessible Web pages or e-mail servers. These groups and
individuals overload e-mail servers and hack into Web sites to send a
political message.
Threat: Information warfare;
Description: Several nations are aggressively working to develop
information warfare doctrine, programs, and capabilities. Such
capabilities enable a single entity to have a significant and serious
impact by disrupting the supply, communications, and economic
infrastructures that support military power--impacts that, according
to the Director of Central Intelligence,[A] can affect the daily lives
of Americans across the country.
Threat: Insider threat;
Description: The disgruntled organization insider is a principal
source of computer crimes. Insiders may not need a great deal of
knowledge about computer intrusions because their knowledge of a
victim system often allows them to gain unrestricted access to cause
damage to the system or to steal system data.
Threat: Virus writers;
Description: Virus writers are posing an increasingly serious threat.
Several destructive computer viruses and ’worms“ have harmed files and
hard drives, including the Melissa Macro, the CIH (Chernobyl), and
Nimda viruses and the Explore.Zip and CodeRed worms.
[A] Prepared Statement of George J. Tenet, director of central
intelligence, before the Senate Select Committee on Intelligence,
February 2, 2000.
Source: Federal Bureau of Investigation.
[End of table]
The number of reported cyber-based incidents is increasing. Complete
summary data are not available because many incidents are not reported.
Nevertheless, the number of reported incidents handled by the
Carnegie-Mellon University CERT®‚ Coordination Center[Footnote 3]
continues to increase dramatically. For example, the number of
incidents reported to the CERT®‚ Coordination Center during the first
quarter of 2002 is more than half the number of incidents reported for
all of 2001. Figure 1 shows the number of incidents reported to the
CERT®‚ Coordination Center from 1990 through 2001.
Figure 1: Information Security Incidents Reported to Carnegie-Mellon‘s
CERT‚ Coordination Center: 1990-2001:
[See PDF for image]
Source: Carnegie-Mellon‘s CERT‚ Coordination Center.
[End of figure]
The events of September 11, 2001, underscore the need to protect
America‘s critical infrastructures against potentially disastrous
cyberattacks--attacks that could also be coordinated to coincide with
physical terrorist attacks to maximize the impact of both.
Critical Infrastructure Protection Policy Has Been Evolving Since the
Mid-1990‘s:
Federal awareness of the importance of securing our nation‘s cyber
critical infrastructures, which underpin our society, economy, and
national security, has been evolving since the mid-1990‘s. Over the
years, a variety of working groups have been formed, special reports
written, federal policies issued, and organizations created to address
the issues that have been raised. In June 1995, a Critical
Infrastructure Working Group, led by the Attorney General, was formed
to (1) identify critical infrastructures and assess the scope and
nature of threats to them, (2) survey existing government mechanisms
for addressing these threats, and (3) propose options for a full-time
group to consider long-term government response to threats to critical
infrastructures. The working group recommended creating a commission to
further investigate the issues. In response to this recommendation, the
President‘s Commission on Critical Infrastructure Protection was
established in July 1996 to study the nation‘s vulnerabilities to both
cyber and physical threats.
In October 1997, the President‘s Commission issued its report, which
described the potentially devastating implications of poor information
security from a national perspective. The report recommended several
measures to achieve a higher level of critical infrastructure
protection, including infrastructure protection through industry
cooperation and information sharing, a national organization structure,
a revised program of research and development, a broad program of
awareness and education, and reconsideration of laws related to
infrastructure protection. The report stated that a comprehensive
effort would need to ’include a system of surveillance, assessment,
early warning, and response mechanisms to mitigate the potential for
cyberthreats.“ It said that the Federal Bureau of Investigation (FBI)
had already begun to develop warning and threat analysis capabilities
and urged it to continue in these efforts. In addition, the report
noted that the FBI could serve as the preliminary national warning
center for infrastructure attacks and provide law enforcement,
intelligence, and other information needed to ensure the highest
quality analysis possible.
The President subsequently issued Presidential Decision Directive (PDD)
63, in 1998, which describes a strategy for cooperative efforts by
government and the private sector to protect critical, computer-
dependent operations. PDD 63 called for a range of actions intended to
improve federal agency security programs, improve the nation‘s ability
to detect and respond to serious computer-based attacks, and establish
a partnership between the government and the private sector. The
directive called on the federal government to serve as a model of how
infrastructure assurance is best achieved and designated lead agencies
to work with private-sector and government organizations. Further, it
established critical infrastructure protection as a national goal, and
stated that, by the close of 2000, the United States was to have
achieved an initial operating capability to protect the nation‘s
critical infrastructures from intentional destructive acts and, no
later than 2003, an enhanced capability.
To accomplish its goals, PDD 63 designated and established
organizations to provide central coordination and support, including:
* the Critical Infrastructure Assurance Office (CIAO), an interagency
office housed in the Department of Commerce, which was established to
develop a national plan for CIP on the basis of infrastructure plans
developed by the private sector and federal agencies;
* the National Infrastructure Protection Center (NIPC), an organization
within the FBI, which was expanded to address national-level threat
assessment, warning, vulnerability, and law enforcement investigation
and response; and:
* the National Infrastructure Assurance Council (NIAC), which was
established to enhance the partnership of the public and private
sectors in protecting our critical infrastructures.[Footnote 4]
To ensure coverage of critical sectors, PDD 63 also identified eight
private-sector infrastructures and five special functions. The
infrastructures are (1) information and communications; (2) banking and
finance; (3) water supply; (4) aviation, highway, mass transit,
pipelines, rail, and waterborne commerce; (5) emergency law
enforcement; (6) emergency fire services and continuity of government;
(7) electric power and oil and gas production and storage; and (8)
public health services. The special functions are (1) law enforcement
and internal security, (2) intelligence, (3) foreign affairs, (4)
national defense, and (5) research and development. For each of the
infrastuctures and functions, the directive designated lead federal
agencies to work with their counterparts in the private-sector. For
example, the Department of the Treasury is responsible for working with
the banking and finance sector, and the Department of Energy is
responsible for working with the electrical power industry. Similarly,
regarding special function areas, the Department of Defense (DOD) is
responsible for national defense, and the Department of State is
responsible for foreign affairs.
To facilitate private-sector participation, PDD 63 also encouraged the
creation of information sharing and analysis centers (ISAC) that could
serve as mechanisms for gathering, analyzing, and appropriately
sanitizing and disseminating information to and from infrastructure
sectors and the federal government through the NIPC. In September 2001,
we reported that six ISACs within five infrastructures had been
established to gather and share information about vulnerabilities,
attempted intrusions, and attacks within their respective
infrastructures and to meet specific sector objectives.[Footnote 5]
Three of the ISACs--for the telecommunications and electric power
industries and emergency fire services segment--were based on groups
that had existed previously. The other three--for the financial
services, information technology, and emergency law enforcement
sectors--had been established since October 1999. In addition, at that
time, we reported that the formation of at least three more ISACs for
various infrastructure sectors were being discussed. Figure 2 displays
a high-level overview of the organizations with CIP responsibilities as
outlined by PDD 63.
Figure 2: Organizations with CIP Responsibilities as Outlined by PDD 63:
[See PDF for image]
Note: In February 2001, the Critical Infrastructure Coordination Group
was replaced with the Information Infrastructure Protection and
Assurance Group under the Policy Coordinating Committee on Counter-
terrorism and National Preparedness. In October 2001, the National
Infrastructure Assurance Council was replaced with the National
Infrastructure Advisory Council, and cyber CIP functions performed by
the national coordinator were assigned to the chair of the President‘s
Critical Infrastructure Protection Board.
Source: CIAO.
[End of figure]
In response to PDD 63, in January 2000 the White House issued its
’National Plan for Information Systems Protection.“[Footnote 6] The
national plan provided a vision and framework for the federal
government to prevent, detect, respond to, and protect the nation‘s
critical cyber-based infrastructure from attack and reduce existing
vulnerabilities by complementing and focusing existing federal computer
security and information technology requirements. Subsequent versions
of the plan were expected to (1) define the roles of industry and state
and local governments working in partnership with the federal
government to protect privately owned physical and cyber-based
infrastructures from deliberate attack and (2) examine the
international aspects of CIP.
The most recent federal cyber CIP guidance was issued in October 2001,
when President Bush signed Executive Order 13231, establishing the
President‘s Critical Infrastructure Protection Board to coordinate
cyber-related federal efforts and programs associated with protecting
our nation‘s critical infrastructures. The Special Advisor to the
President for Cyberspace Security chairs the board. Executive Order
13231 tasks the board with recommending policies and coordinating
programs for protecting CIP-related information systems. The executive
order also established 10 standing committees to support the board‘s
work on a wide range of critical information infrastructure efforts.
The board is intended to coordinate with the Office of Homeland
Security in activities relating to the protection of and recovery from
attacks against information systems for critical infrastructure,
including emergency preparedness communications that were assigned to
the Office of Homeland Security by Executive Order 13228, dated October
8, 2001. The board recommends policies and coordinates programs for
protecting information systems for critical infrastructure, including
emergency preparedness communications, and the physical assets that
support such systems. In addition, the chair coordinates with the
Assistant to the President for Economic Policy on issues relating to
private-sector systems and economic effects and with the Director of
OMB on issues relating to budgets and the security of federal computer
systems.
Effective Federal Information Security Programs Are Critical to CIP:
At the federal level, cyber CIP activities are a component, perhaps the
most critical, of a federal department or agency‘s overall information
security program. Since September 1996, we have reported that poor
information security is a widespread federal government problem with
potentially devastating consequences.[Footnote 7] These information
security programs include efforts to protect critical cyber assets
owned by the federal government. Although agencies have taken steps to
redesign and strengthen their information system security programs, our
analyses of information security at major federal agencies have shown
that federal systems were not being adequately protected from computer-
based threats, even though these systems process, store, and transmit
enormous amounts of sensitive data and are indispensable to many
federal agency operations. In addition, in 1998, 2000, and 2002, we
analyzed audit results for 24 of the largest federal agencies and found
that all 24 had significant information security weaknesses.[Footnote
8] As a result of these analyses, we have identified information
security as a governmentwide high-risk issue in reports to the Congress
since 1997--most recently in January 2001.[Footnote 9]
In March of this year, when we testified on the efforts by the federal
government to implement provisions for Government Information Security
Reform Act that were enacted as part of the National Defense
Authorization Act for Fiscal Year 2001,[Footnote 10] we highlighted the
fact that each agencywide information security program is required to
ensure the integrity, confidentiality, and availability of systems and
data supporting the agency‘s critical operations and assets (e.g., CIP
assets).[Footnote 11] At that time, of 24 of the largest agencies, 15
had not implemented an effective methodology to identify their critical
assets,[Footnote 12] and 7 had not determined the priority for
restoring these assets should a disruption in critical operations
occur. OMB indicated that it was to direct all agencies to identify and
prioritize their critical assets.
Our testimony was consistent with what the President‘s Council on
Integrity and Efficiency and the Executive Council on Integrity and
Efficiency (PCIE/ECIE) reported last year on the federal government‘s
compliance with PDD 63. It concluded that the federal government could
improve its planning and assessment activities for cyber-based critical
infrastructures. Specifically, the council stated that (1) many agency
infrastructure plans were incomplete; (2) most agencies had not
identified their mission-critical infrastructure assets; and (3) few
agencies had completed vulnerability assessments of mission-critical
assets or developed remediation plans.
At Least 50 Federal Organizations Derive Their Cyber CIP
Responsibilities from a Variety of Sources:
At least 50 organizations are involved in national or multiagency cyber
CIP efforts and derive their responsibilities from PDD 63 and Executive
Order 13231, as well as various other federal laws, directives, and
orders. These organizations are involved in many cyber CIP activities,
including policy development, vulnerability assessment, and research
and development. However, current cyber CIP efforts do not specifically
address all potentially relevant sectors and their respective federal
agencies. The chair of the President‘s Critical Infrastructure
Protection Board, as well as officials from the CIAO, acknowledged that
our nation‘s critical infrastructures are currently being reexamined
and could be expanded.
Many Organizations Have National or Multiagency Cyber CIP
Responsibility:
Protecting the nation‘s critical infrastructure against information
attacks is a complicated process involving many organizations within
many government agencies. At least 50 organizations are involved in
national or multiagency cyber CIP efforts. These entities include 5
advisory committees; 6 Executive Office of the President organizations;
38 executive branch organizations associated with departments,
agencies, or intelligence organizations; and 3 other organizations.
These organizations are primarily located within 13 major departments
and agencies mentioned in PDD 63.[Footnote 13] Several departments,
including DOD, Treasury, and Commerce have multiple organizations
involved in cyber CIP activities. For example, we identified 7
organizations within DOD involved in national or multiagency cyber CIP
efforts. Appendix II identifies each of the organizations, provides a
high-level description of their cyber CIP responsibilities, and
identifies their source(s) of authority.
Although each organization described a wide range of cyber CIP-related
activities, collectively they described activities related to the
following five categories:
* policy development, including advising on policy issues, coordinating
and planning CIP activities, issuing standards and best practices,
providing input to the national CIP plan, developing education and
outreach programs with governmental and private sector organizations,
and coordinating internationally;
* analysis and warning, including conducting vulnerability analyses,
gathering intelligence information, coordinating and directing
activities to detect computer-based attacks, disseminating information
to alert organizations of potential and actual infrastructure attacks,
and facilitating the sharing of security-related information;
* compliance, including overseeing implementation of cyber CIP
programs, ensuring that policy is adhered to and remedial plans are
developed, and investigating cyberattacks on critical infrastructures;
* response and recovery, including reconstituting minimum required
capabilities, isolating and minimizing damage, and coordinating the
necessary actions to restore functionality; and:
* research and development, including coordinating federally sponsored
research and development in support of infrastructure protection.
On the following page, figure 3 displays a high-level overview of the
organizational placement of the 5 advisory committees; 6 Executive
Office of the President organizations; 13 executive branch departments
and agencies; and several other organizations involved in national or
multiagency cyber CIP efforts. For departments and agencies, figure 4
provides further detail on component organizations‘ involvement, but
does not illustrate the internal relationships within each agency. For
all figures, organizations‘ cyber CIP-related activities are identified
in one or more of the five general categories discussed above. Appendix
III displays in tabular format the entities and their activities.
[Footnote 14]
Figure 3: Overview of National or Multiagency Federal Cyber CIP
Organizations:
[See PDF for image]
Note: Major agencies or departments are highlighted in yellow here and
in figure 4. The organizations are color-coded to correspond to one or
more of the five general activities related to cyber CIP (see legend).
[End of figure]
Figure 4: Components of Executive Departments or Agencies and Their
Primary Activities Related to Cyber CIP (as indicated by the Color-
Coded Legend Below):
[See PDF for image]
[End of figure]
The President‘s recent proposal to create a cabinet-level Department of
Homeland Security states that ’currently, at least twelve different
government entities oversee the protection of our critical
infrastructure.“ As our analysis shows, at least 50 organizations are
involved in national cyber CIP efforts.
Federal Organizations Derive Their Cyber CIP Responsibilities from a
Variety of Laws, Regulations, and Federal Policy Documents:
In addition to PDD 63 and Executive Order 13231, agencies derive and
justify their cyber CIP efforts from a variety of laws, regulations,
and federal policy documents. Various laws and regulations also address
the need to secure federal systems, including the Government
Information Security Reform Act; the Clinger-Cohen Act; the Computer
Security Act; and Appendix III to OMB Circular A-130, Security of
Federal Automated Information Resources. In addition to the overarching
legislation mentioned above, table 2 below summarizes the key executive
orders, presidential decision directives, and other acts and directives
that mention activities related to cyber CIP.
Table 2: Key Executive Orders, Presidential Decision Directives, Acts,
and Directives That Mention Activities Related to Cyber CIP:
Executive orders:
Law or regulation: Executive Order 12472, ’Assignment of National
Security and Emergency Preparedness Telecommunications Functions“;
Description: Executive orders: Signed in 1984, this order established
the National Communication Systems and assigns national security
emergency preparedness responsibilities for telecommunications.
Law or regulation: Executive Order 12656, ’Assignment of Emergency
Preparedness Responsibilities“;
Description: Executive orders: Signed in 1988, this order assigns
federal national security emergency preparedness responsibilities to
federal departments and agencies for various sectors.
Law or regulation: Executive Order 13231, ’Critical Infrastructure
Protection in the Information Age“;
Description: Executive orders: Signed in October 2001, this order
establishes the President‘s Critical Infrastructure Protection Board
to coordinate the federal efforts and programs associated with
protecting our nation‘s critical infrastructures. A special advisor to
the President for cyberspace security chairs the board. This order
also tasks the board to recommend policies and coordinate programs for
protecting information systems for critical infrastructure protection.
The executive order also established 10 standing committees to support
the board‘s work on a wide range of critical information
infrastructure efforts.
Law or regulation: Executive Order 13228, ’Establishing the Office of
Homeland Security and the Homeland Security Council“;
Description: Executive orders: Signed in October 2001, this order
establishes the Office of Homeland Security, whose mission is to
develop and coordinate the implementation of a comprehensive national
strategy to secure the United States from terrorist threats or
attacks. The office will coordinate the executive branch‘s efforts to
detect, prepare for, prevent, protect against, respond to, and recover
from terrorist attacks within the United States.
Presidential decision directives:
Law or regulation: PDD 39, ’Presidential Decision Directive on
Terrorism“;
Description: Executive orders: Signed in 1995, this directive sets
forth the U.S. general policy to use all appropriate means to deter,
defeat, and respond to all terrorist attacks against U.S. interests.
More specifically, PDD 39 directs federal departments to take various
measures to (1) reduce the vulnerabilities to terrorism, (2) deter and
respond to terrorism, and (3) develop effective capabilities to
prevent and manage the consequences of terrorist use of weapons of
mass destruction. The directive charges the FBI as the lead
investigative agency to reduce U.S. vulnerabilities to terrorism.
Law or regulation: PDD 62 ’Combating Terrorism“;
Description: Executive orders: Signed in 1998, this directive
established the Office of the National Coordinator for Security,
Infrastructure Protection and Counter-Terrorism. PDD 62 also
reinforces the mission of many of the agencies charged with roles in
defending terrorism by codifying and clarifying their activities in
the range of counter-terrorism programs including the protection of
the computer-based systems that support critical infrastructure sectors.
Law or regulation: PDD 63, ’Protecting America‘s Critical
Infrastructures“;
Description: Executive orders: Signed in 1998, this directive expanded
the NIPC at the FBI, and established ISACs in cooperation with the
federal government, private sector, and the CIAO to support work in
developing a national plan.
Law or regulation: PDD 67, ’Enduring Constitutional Government and
Continuity of Government Operations“;
Description: Executive orders: Signed in 1998, this directive required
federal agencies to develop continuity of operations plans for
essential operations.
Law or regulation: PDD 75, ’U.S. Counterintelligence Effectiveness -
Counterintelligence for the 21st Century“;
Description: Executive orders: Signed in 2001, this directive
establishes a counterintelligence board of directors, the National
Security Council Deputies Committee, and a National
Counterintelligence Executive.
Other directive/acts:
Law or regulation: National Security Directive 42, National Policy for
the Security of National Security Systems;
Description: Executive orders: Signed in 1990, this directive
designates the Director, NSA the national manager for national
security telecommunications and information systems security and calls
upon him or her to promote and coordinate defense efforts against
threats to national security systems.
Law or regulation: The Stafford Act;
Description: Executive orders: Enacted in 1974, this act enables the
Federal Emergency Management Agency (FEMA) to provide supplementary
federal assistance to individuals, state and local governments, and
certain private nonprofit organizations to assist them in recovering
from the devastating effects of major disasters.
Law or regulation: The USA PATRIOT Act;
Description: Executive orders: Enacted in 2001, this act enables law
enforcement entities to apply modern surveillance capabilities to new
technologies, such as the Internet, and execute these devices in
multiple jurisdictions anywhere in the United States.
Law or regulation: The Aviation and Transportation Security Act;
Description: Executive orders: Enacted in 2001, this act created the
Transportation Security Administration (TSA) in the Department of
Transportation. The act gives TSA direct responsibility for aviation
and all other transportation security.
[End of table]
As demonstrated by the type and number of sources cited, many cyber CIP
activities are related to, and overlap with, other aspects of agencies‘
national security efforts, including homeland security, information
security, national security emergency preparedness telecommunications,
and continuity of government operations.
Additional Federal Organizations Have CIP-related Responsibilities:
Current cyber CIP efforts do not specifically address all potentially
relevant critical infrastructure sectors or federal agencies. As
mentioned previously, PDD 63 identifies eight sector infrastructures
with 13 lead agencies associated with the eight sectors and five
special functions. However, PDD 63 and Executive Order 13231 does not
specifically address other possible critical sectors such as food
supply, chemical manufacturing, and delivery services and their
respective federal agency counterparts.
Although important agencies and sectors may not be officially addressed
in PDD 63 or Executive Order 13231, a few organizations have stepped
forward to address these gaps. For example, the Department of
Agriculture, with responsibilities for food safety, recently
established a Homeland Security Council, a departmentwide council with
the mission of protecting the food supply and agricultural production.
Also, a food ISAC has been recently formed by the Food Marketing
Institute in conjunction with NIPC. In addition, officials from the
designated private-industry sectors for both electricity and water have
identified the need to coordinate with the Department of the Interior.
These sectors have an interest in the physical and cyber safeguards for
dams under Interior‘s control, because of the water and electrical
power they produce. Officials from both sectors noted that this
coordination with Interior was just initiated at the beginning of 2002.
Administration officials acknowledge that PDD 63 and Executive Order
13231 are under review for the possible inclusion of additional
sectors. The chair of the President‘s Critical Infrastructure
Protection Board told a Senate subcommittee that the critical
infrastructure sectors were being reviewed after the September 11
attacks and the subsequent anthrax attacks on the U.S. Capitol.
According to the special advisor, industries such as chemical
processing, pharmaceuticals, and colleges and universities need to be
reevaluated as critical infrastructures. Additionally, officials at the
CIAO noted that the concept of critical infrastructures is being
reviewed as part of the development of a national strategy, and that
additional government functions are being considered for inclusion.
In addition, the proposal to create a Department of Homeland Security
also refers to the need to consider additional sectors. According to
the proposal, ’the Department would be responsible for comprehensively
evaluating the vulnerabilities of America‘s critical infrastructure,
including food and water systems, agriculture, health systems and
emergency services, information and telecommunications, banking and
finance, energy (electrical, nuclear, gas and oil, dams),
transportation (air, road, rail, ports, waterways), the chemical and
defense industries, postal and shipping entities, and national
monuments and icons.“ This proposal is referring to both cyber and
physical aspects of our national infrastructure.
Until all relevant infrastructure sectors and lead agencies are
clarified, our existing policies for, and possibly our nation‘s
approach to, cyber CIP remain incomplete. The opportunity for ensuring
that all relevant organizations are addressed exists in the development
of the new national strategy.
Relationships among Cyber CIP Organizations Are Not Consistently
Established:
Most organizations were able to identify their relationships and
coordination activities. This information is presented in appendix II
for each organization that could provide it.
However, in reviewing the reported coordination of organizations with
key lead entities identified under PDD 63 and Executive Order 13231, we
identified that relationships among all organizations performing
similar activities (e.g., policy development, analysis and warning)
were not consistently established. For example, under PDD 63, the CIAO
was set up to integrate the national CIP plan, coordinate a national
education and awareness program, and coordinate legislative affairs.
Nevertheless, of the organizations conducting policy development
activities, only about one-half reported that they coordinated with the
CIAO. Of the organizations with research and development functions,
none mentioned the OSTP, which was designated the lead coordinator for
research and development in both PDD 63 and Executive Order 13231.
Our prior work on the FBI‘s NIPC, the lead for analysis and warning, is
consistent with these examples. Specifically, in April 2001, we
reported that NIPC‘s role had not been clearly articulated and was not
being consistently interpreted.[Footnote 15] PDD 63 describes general
goals and provides an outline of the responsibilities assigned to the
NIPC. However, discussions with officials in the defense, intelligence,
and civilian agencies involved in CIP, and with OMB and the National
Security Council, showed that their views of NIPC‘s roles and
responsibilities differed from one another and, in some cases, from
those outlined in PDD 63. Several expressed an opinion that this lack
of consensus had hindered NIPC‘s progress and diminished support from
other federal agencies.
In recognition of the inconsistent coordination among organizations
involved in cyber CIP, President Bush issued Executive Order 13231,
’Critical Infrastructure Protection in the Information Age,“ which
acknowledged the need for additional coordination by creating the
President‘s Critical Infrastructure Protection Board to coordinate
federal efforts and programs related to the protection of critical
infrastructures. Among the board‘s activities stated in the order are
(1) outreach to the private sector and state and local governments; (2)
information sharing; (3) incident coordination and crisis response; (4)
recruitment, retention, and training of executive branch security
professionals; (5) research and development; (6) law enforcement
coordination with national security components; (7) international
information infrastructure protection; (8) legislation; and (9)
coordination with the Office of Homeland Security. The order
established 10 standing committees to support the board‘s work,
including committees on incident response coordination and research and
development. According to the Office of Homeland Security, the mission
of these committees, within the larger mission of the board, is to
coordinate programs across government in order to minimize duplication
of efforts, create synergies, and maximize resources.
More recently, the Assistant to the President for Homeland Security, in
an April 10, 2002, letter to the chairman of the Senate Governmental
Affairs Committee, to address a March request from the committee
seeking information on homeland security efforts, discussed the need
for increased coordination among several key national cyber CIP
organizations. The assistant stated that plans for developing a
cybersecurity information coordination center are under consideration
and that it would be possible for the President‘s Critical
Infrastructure Protection Board, the outreach and awareness component
of the NIPC, and the CIAO to be collocated there to better coordinate
each organization‘s duties and responsibilities related to outreach to
private industry.
National Strategy to Ensure Coordination Is Being Developed:
A missing requirement for implementing the President‘s Critical
Infrastructure Protection Board and improving coordination continues to
be the lack of a national strategy that defines organizational roles
and relationships. We have been recommending such a strategy for
several years, having first identified the need for a detailed plan in
1998. At that time, we reported that developing a governmentwide
strategy that clearly defined and coordinated the roles and new and
existing federal entities was important to ensure governmentwide
cooperation and support for PDD 63.[Footnote 16] At that time, we
recommended that OMB ensure such coordination.
As mentioned previously, in January 2000, the White House issued its
’National Plan for Information Systems Protection“ as a first major
element of a more comprehensive strategy to be developed. At that time,
we reiterated the importance of defining and clarifying organizational
roles and responsibilities, noting that numerous federal organizations
were collecting, analyzing, and disseminating data or guidance on
computer security vulnerabilities and incidents and that clarification
would help ensure a common understanding of (1) how the activities of
these many organizations interrelate, (2) who should be held
accountable for their success or failure, and (3) whether such
activities will effectively and efficiently support national goals.
[Footnote 17]
In September 2001, we continued to report that an underlying deficiency
in the implementation of PDD 63 has been the lack of an adequate
national strategy that delineates interim objectives and the specific
roles and responsibilities of federal and nonfederal organizations
involved in CIP.[Footnote 18] At that time, among other
recommendations, we recommended that the Assistant to the President for
National Security Affairs ensure that the federal government‘s strategy
to address computer-based threats defines specific roles and
responsibilities of organizations involved in CIP and related
information security activities. In commenting on a draft of the
report, Commerce noted that the administration is reviewing the
organizational structures for CIP to ensure coordination of federal
government efforts and that it is developing a new national plan.
The national strategy for cyber CIP is still being developed and is now
planned to be issued in September 2002. A key contributor to the
national strategy will be input from the Partnership for Critical
Infrastructure Security, an organization that grew out of PDD 63,
consisting of over 60 private-sector companies and associations and 13
federal government agencies. Also contributing to the national plan
will be responses to 53 questions categorized into five critical areas
of home user and small business, major enterprises, sectors of the
national information infrastructure, national-level institutions and
policies, and global issues. The questions deal with key computer
information issues, including awareness, best practices and standards,
accountability, funding, personnel, information sharing, warning,
analysis, and incident response and recovery. The President‘s Critical
Infrastructure Protection Board recently distributed the questions over
the Internet.
A clearly defined strategy is essential for defining the relationships
among the various cyber CIP organizations, integrating cyber CIP
activities with existing laws, and ensuring that our national approach
to cyber CIP is both coordinated and comprehensive. Without such a
detailed strategy, our nation risks not having the appropriate
structure to deal with the growing threat of computer-based attacks on
its critical infrastructure.
CIP Funds Are Not Separately Appropriated for Most Organizations, and
Precise Levels of Spending Cannot Be Ascertained:
Most of the organizations in our review do not receive appropriations
specifically designated for cyber CIP and, therefore, do not have a
process to track these funds. A complicating factor in tracking funds
spent on cyber CIP activities is that organizational totals often
include funds spent on physical, cyber, and agency-specific CIP
activities. Although most organizations cannot readily identify their
cyber CIP funding, a few key organizations can since most, or in some
cases all, of their operations are related to cyber CIP activities.
These organizations include the CIAO, NIPC, the National Institute of
Standards and Technology (NIST), and GSA‘s Federal Computer Incident
Response Center (FedCIRC), as highlighted in the February 2002 Office
of Homeland Security overview.[Footnote 19] Table 3 shows the CIP
funding identified in the homeland security budget for these four
national cyber CIP organizations.
Table 3: Office of Homeland Security Fiscal Year 2002 and 2003 CIP
Funding:
National CIP Entity: FedCIRC (GSA);
Fiscal year 2002 base: $10 million;
Emergency supplemental[A]: 0;
Fiscal year 2003 proposed: $11 million.
National CIP Entity: NIPC (FBI);
Fiscal year 2002 base: $72 million;
Emergency supplemental[A]: $61 million;
Fiscal year 2003 proposed: $125 million.
National CIP Entity: Computer Security Division (NIST);
Fiscal year 2002 base: $11 million;
Emergency supplemental[A]: 0;
Fiscal year 2003 proposed: $15 million.
National CIP Entity: CIAO (Commerce);
Fiscal year 2002 base: $5 million;
Emergency supplemental[A]: $1 million;
Fiscal year 2003 proposed: $7 million.
[A] P.L. 107-38, the Emergency Supplemental Appropriations Act for
Recovery from and Response to Terrorist Attacks on the United States:
FY 2001.
Source: Office of Homeland Security, Securing the Homeland,
Strengthening the Nation, February 2002.
[End of table]
Although most organizations are not appropriated CIP funds, OMB has
estimated CIP funding levels by department and independent agencies in
its Annual Report to Congress on Combating Terrorism.[Footnote 20]
According to OMB‘s report, CIP funds have increased from approximately
$1.2 billion in fiscal year 1998 (actual) to approximately $3.9 billion
in the President‘s fiscal year 2003 budget request.
Since September 11, additional funds have been provided or requested
for CIP activities related to homeland security, which has further
complicated identifying what aspects of CIP activities are funded. In a
recent report to the Congress, the Congressional Research Service
stated that the fiscal year 2002 estimates are not readily visible in
agency budgets or congressional appropriations.[Footnote 21] The
Congressional Research Service added that a detailed breakdown of CIP
funds is not available. Without a precise tracking of cyber CIP funding
and spending, it is difficult to determine if the federal government is
spending its limited cyber CIP resources on the appropriate priorities.
However, OMB officials told us that they plan to provide more detailed
breakdowns in the future. Such information is also necessary to enable
the CIP Board to make recommendations to OMB on cyber CIP funding, as
outlined in Executive Order 13231.
Conclusions:
Protecting our nation‘s critical infrastructure is vital to our
national security, economic stability, and public health and safety.
PDD 63 established a strong foundation that defined a starting point,
and Executive Order 13231 expanded that foundation by tasking a special
advisor to the President for cyberspace security to take a leadership
role in enhancing our future efforts in that area. The President‘s
recent proposal to create a Department of Homeland Security states that
’currently, at least twelve different government entities oversee the
protection of our critical infrastructure.“ However, as our analysis
shows, at least 50 organizations are involved in national or
multiagency cyber CIP efforts, as well as additional infrastructure
organizations that have not yet been officially recognized.
Further, although most organizations could identify their relationships
with other key cyber CIP entities, relationships among all
organizations performing similar activities (e.g., policy development
or analysis and warning) were not consistently established. Without a
strategy that identifies responsibilities and relationships for all
cyber CIP efforts, our nation risks not having the appropriate
structure to deal with the growing threat of computer-based attacks on
its critical infrastructures.
Finally, most of the organizations in our review do not receive
appropriations specifically designated for cyber CIP and, therefore, do
not have a process to track these funds. OMB plans to provide more
detailed information on this area in the future.
Recommendation:
We have previously recommended that the Assistant to the President for
National Security Affairs ensure that the federal government‘s CIP
strategy defines the specific roles and responsibilities of
organizations involved in CIP and related information security
activities. To supplement this recommendation, we recommend that when
developing the strategy to guide federal CIP efforts, the Assistant to
the President for National Security Affairs, the Assistant to the
President for Homeland Security, and the Special Advisor to the
President for Cyberspace Security ensure that, among other things, the
strategy:
* includes all relevant sectors and defines the key federal agencies‘
roles and responsibilities associated with each of these sectors, and:
* defines the relationships among the key CIP organizations.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from the Special
Advisor to the President for Cyberspace Security; the Chief of Staff
and General Counsel, Office of Science and Technology Policy (OSTP);
the Chief Operating Officer and General Counsel, Federal Emergency
Management Agency (FEMA); the Assistant Secretary and Chief Financial
Officer, Department of State; and the Director, Audit Liaison Office,
Justice Management Division, Department of Justice. The Department of
Justice generally concurred with our findings and recommendations (see
appendix IV for Justice‘s written comments); the Special Advisor to the
President for Cyberspace Security and the Department of State did not
indicate whether they agreed or disagreed; FEMA requested that we add
an additional organization, and OSTP disagreed with our statement that
none of the R&D organizations coordinated with them. We received oral
comments from officials from the Office of Management and Budget; the
Environmental Protection Agency; the Departments of Defense, Energy,
Health and Human Services, and Treasury; the Federal Communications
Commission; the National Science Foundation; and the General Services
Administration. Although the written and oral comments varied in scope
and detail, they were primarily limited to technical comments on the
description of their responsibilities described in appendix II. We have
incorporated these changes in the report, as appropriate. These changes
included the addition of a few organizations involved in national or
multiagency cyber CIP efforts. The Department of Transportation had no
comments on a draft of this report, and we did not receive comments
from the Department of Commerce.
In written comments on a draft of this report (see app. V), the Special
Advisor to the President for Cyberspace Security acknowledged the
complexity and importance of coordinating CIP efforts and stated that
the President‘s Critical Infrastructure Protection Board, created under
Executive Order 13231 and composed of senior federal officials,
coordinates cybersecurity efforts, including aligning roles and
responsibilities. The Special Advisor also pointed out that the
coordination of federal efforts is only a small part of the overall
infrastructure protection challenge since the majority of the U.S.
computing power is not owned by the federal government. He added that
he is currently coordinating a national strategy that will address
cybersecurity challenges faced by federal, state, and local
governments; private companies; infrastructure owners; and home users.
We agree that federal coordination is only part of the overall
challenge in effectively managing our nation‘s cyber CIP efforts and
look forward to the completion of the national strategy so that all
relevant sectors are included and relationships among the government‘s
many players are defined. The Special Advisor also made separate
technical comments, which have been incorporated in the report, as
appropriate.
In written comments on a draft of this report (see app. VI), OSTP
stated that it is inaccurate for us to ’imply that consultations are
not occurring with the agencies“ with R&D responsibilities and that it
has exercised its coordination authority for CIP R&D over the past 5
years through regular senior-level interagency meetings. However, when
we asked the R&D organizations who they coordinated with, none
indicated that they coordinated with OSTP, and OSTP did not
specifically identify the R&D organizations in our review. Also, none
of these organizations commented on this statement in our draft report
that OSTP took exception to. Therefore, we did not make any changes to
the report. In addition, OSTP also made separate technical comments
that have been incorporated in the report, as appropriate.
In written comments on a draft of this report (see app. VII), FEMA
stated that the current draft does not include the Office of the Chief
Information Officer/Information Technology Services Directorate. On
the basis of additional information the agency provided in an
attachment, we added this office and also incorporated additional
technical comments, as appropriate.
In written comments on a draft of this report (see app. VIII), the
Department of State did not indicate whether it agreed or disagreed
with our draft, but noted that we had not included one of its six
organizations, the Bureau of Information Resource Management. We did
not include this bureau because it is not involved in national or
multiagency cyber CIP efforts. As a result, we made no revisions to our
report.
We are sending copies of this report to other interested congressional
committees; the Assistant to the President for National Security
Affairs; the Assistant to the President for Homeland Security; the
Special Advisor to the President for Cyberspace Security; the Director
of the Office of Management and Budget; and the heads of the agencies
that are identified in this report. We will also make copies available
to others upon request. The report will be available at no charge on
the GAO Web site at [hyperlink, http://www.gao.gov].
If you or your offices have any questions about matters discussed in
this report, please contact me at (202) 512-3317 or Dave Powner,
assistant director, at (303) 572-7316. We can also be reached by e-mail
at daceyr@gao.gov or pownerd@gao.gov, respectively. Staff who made key
contributors to this report are listed in appendix IX.
Robert F. Dacey
Director, Information Security Issues:
Signed by Robert F. Dacey:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to (1) identify the federal civilian,
defense, and intelligence organizations involved in protecting critical
infrastructures from computer-based attacks, and their
responsibilities, current organizational placement, and source of
authority; (2) determine the organizations‘ relationships with each
other; and (3) determine appropriated critical infrastructure
protection (CIP) funds for each organization.
To identify the federal civilian, defense, and intelligence
organizations involved in protecting critical infrastructures from
computer-based attacks, and their responsibilities, source of
authority, and current organizational placement, we selected federal or
federally sponsored organizations supporting national or multiagency
efforts that were mentioned in either Presidential Decision Directive
(PDD) 63 or Executive Order 13231, including lead agencies and members
of the President‘s Critical Infrastructure Protection Board. After
identifying the organizations with a national or multiagency cyber CIP
effort, we (1) reviewed agency documents including enabling
legislation, charters, delegations of authority, policy documents,
program and strategic plans, and performance reports; (2) requested
written responses from them on their CIP responsibilities, sources of
authority, organizational placement and reporting relationships, and
funding; (3) interviewed pertinent officials associated with these
organizations; and (4) asked for other organizations within these
organizations that have a national CIP role. Our inventory of
organizations does not include 9 of the 24 largest federal departments
or agencies since they were not specifically identified in PDD
63,[Footnote 22] Executive Order 13231, or by officials we interviewed;
organizations that are responsible for the security of critical cyber
systems, but do not have national cyber CIP responsibilities outside
their agencies, such as the Federal Aviation Administration, the
Centers for Disease Control, the Financial Management Service, and the
National Weather Service; or agencies that have national physical
security CIP responsibilities, such as Treasury‘s Bureau of Alcohol,
Tobacco and Firearms; Transportation‘s Office of Pipeline Safety; and
the Environmental Protection Agency‘s Chemical Emergency Preparedness
and Prevention Office.
To determine the organizations‘ relationships with each other, we (1)
reviewed PDD 63 and Executive Order 13231 and written responses
regarding organizational placement and reporting relationships; (2)
analyzed interdependencies; and (3) held discussions with organization
officials and officials from the oversight and policy making bodies
such as the Critical Infrastructure Assurance Office (CIAO). We also
interviewed the Special Advisor to the President for Cyberspace
Security on current initiatives to improve coordination among these
organizations.
To determine the level of the organizations‘ CIP appropriated funds, we
analyzed agency budget documents and written responses regarding
funding levels. We reviewed recent CIP budget documents created by the
Office of Homeland Security, the Office of Management and Budget (OMB),
and the Congressional Research Service. We also discussed with OMB how
funds are appropriated and tracked for CIP activities.
We performed our work in Washington, D.C., from January through May
2002, in accordance with generally accepted government auditing
standards.
[End of section]
Appendix II: Federal Organizations Involved in National or Multiagency
Cyber CIP Efforts:
The federal organizations listed below have various national or
multiagency responsibilities related to cyber CIP efforts. These
organizations include 5 advisory committees; 6 Executive Office of the
President organizations; 38 executive branch organizations associated
with departments, agencies, or intelligence organizations; and 3 other
organizations. The description of each organization includes its cyber
CIP responsibilities, source(s) of authority, key relationships with
other CIP organizations, and, where available, information on cyber CIP
funds. See figure 4 (in main body of text) for information on
organizational placement.
Federal Advisory Committees:
Federal Advisory Committees are committees, boards, commissions, or
similar groups from the private sector that are established by statute
or established or used by the President or one or more agencies for
providing advice or recommendations to the President or one or more
agencies or federal government officials. Within a year after a
presidential advisory committee submits a public report to the
President, the President or a delegate of the President is required to
report to the Congress proposals for action or reasons for inaction
regarding the recommendations contained in the public report. In
addition, each year the President is required to provide the Congress
with an annual report on the activities, status, and changes in the
composition of advisory committees from the preceding fiscal year.
According to federal documents, the advisory committees for cyber CIP
issues are:
* the National Infrastructure Advisory Council (NIAC),
* the President‘s Council of Advisors on Science and Technology
(PCAST),
* the President‘s National Security Telecommunications Advisory
Committee (NSTAC),
* the President‘s Information Technology Advisory Committee (PITAC),
and:
* the National Science and Technology Council (NSTC).
National Infrastructure Advisory Council:
Executive Order 13130 established NIAC to advise the President on the
security of information systems for critical infrastructure supporting
other sectors of the economy: banking and finance, transportation,
energy, manufacturing, and emergency government services. The members
of NIAC, which were selected from the private sector, academia, and
state and local government, had expertise relevant to the functions of
the committee. One of NIAC‘s main duties was to monitor the development
of private-sector information sharing and analysis centers (ISAC). Just
before leaving office, President Clinton put forward the names of 21
appointees. The order was rescinded by the Bush Administration before
the council could meet. In Executive Order 13231, President Bush
established a National Infrastructure Advisory Council (with the same
acronym, NIAC) whose functions are similar to those of the council
established under the Clinton Administration. The National
Infrastructure Advisory Council is comprised of a group of 30
representatives from private industry and state and local government
that will advise the President on matters relating to cybersecurity and
CIP.
President‘s Council of Advisors on Science and Technology:
A private-sector President‘s Council of Advisors on Science and
Technology assists the National Science and Technology Council to
ensure that federal science and technology policies reflect the full
spectrum of the nation‘s needs. Since its creation, the President‘s
Council of Advisors on Science and Technology has been expanded and
currently consists of 18 members from the private sector plus the
Assistant to the President for Science and Technology, who serves as
the committee‘s co-chair. The committee members, who are appointed by
the President, are drawn from industry, education, research
institutions, and other nongovernmental organizations.
President‘s National Security Telecommunications Advisory Committee:
Executive Order 13231 calls on the President‘s National Security
Telecommunications Advisory Committee to advise the President on the
security and continuity of communications systems essential for
national security and emergency preparedness. In 1982, the President‘s
National Security Telecommunications Advisory Committee, which
comprises presidentially appointed senior executives from up to 30
major U.S. corporations in the telecommunications and financial
services industries, was established to advise the President on
national-security and emergency-preparedness telecommunications
issues.
President‘s Information Technology Advisory Committee:
Under the authority of Executive Order 13035 (1997) and amended by
Executive Order 13092 (1998), the President‘s Information Technology
Advisory Committee provides the President, the Congress, and the
federal agencies involved in information technology (IT) research and
development with expert, independent advice on advanced information
technologies, including the national infrastructure as high-
performance computing, large-scale networking, and high-assurance
software and systems design. As part of this assessment, the committee
reviews the federal networking and IT research and development program.
Leading IT experts from industry and academia comprise the committee as
it helps guide the administration‘s efforts to accelerate the
development and adoption of information technologies. The committee is
formally renewed through presidential executive orders. The current
executive order is due to expire June 1, 2003.
National Science and Technology Council:
The NSTC was established by executive order in 1993 as a cabinet-level
council, with the President serving as chair. This council is the
principal means for the President to coordinate science, space,
technology, and the various parts of the federal research and
development community. An objective of NSTC is establishing clear
national goals for federal science and technology. The council prepares
research and development strategies that are coordinated across federal
agencies to form an investment package aimed at accomplishing multiple
national goals. PDD 63 states that the Office of Science and Technology
Policy shall be responsible for coordinating research and development
programs through the council.
Executive Office of the President:
According to federal documents, the organizations with critical
infrastructure protection responsibilities are as follows:
* the Office of Homeland Security (OHS),
* the National Security Council (NSC),
* the Office of Science and Technology Policy (OSTP),
* the National Economic Council (NEC),
* the Office of Management and Budget (OMB), and:
* the President‘s Critical Infrastructure Protection Board.
Office of Homeland Security:
Established by Executive Order 13228, the mission of the Office of
Homeland Security is to develop and coordinate the implementation of a
comprehensive national strategy to secure the United States from
terrorist threats or attacks. The office, which is led by the Assistant
to the President for Homeland Security, coordinates the executive
branch‘s efforts to detect, prepare for, prevent, protect against,
respond to, and recover from terrorist attacks within the United
States. The office identifies priorities and coordinates efforts for
collecting and analyzing information. The office also identifies, in
coordination with the Assistant to the President for National Security
Affairs, intelligence sources outside the United States regarding
threats of terrorism within the United States. The office also works
with federal, state, and local agencies.
Executive Order 13228 also established the Homeland Security Council
which is responsible for advising and assisting the President regarding
all aspects of homeland security. The council is to serve as the
mechanism for ensuring that homeland-security-related activities of
executive departments and agencies are coordinated and homeland
security policies are effectively developed and implemented. As
previously mentioned, in February 2002, the Office of Homeland Security
published an overview of its proposed $37.7 billion fiscal year 2003
budget. This total includes $722 million for technology to defend the
homeland, a portion of which is to be allocated to several of the
national CIP organizations we identified.
National Security Council:
NSC coordinated the initial development and implementation of PDD 63.
These efforts included developing the National Information System
Defense Plan, monitoring federal agency CIP plans, and fostering a
public/private-sector partnership on information assurance. Under the
current Bush administration, the council underwent a major streamlining
in which all its groups established during previous administrations
were abolished. The responsibilities and functions of the former groups
were consolidated into 17 policy coordination committees. The
activities associated with CIP were assumed by the Counter-Terrorism
and National Preparedness Policy Coordination Committee. The Special
Advisor to the President for Cyberspace Security reports to the
Assistant to the President for National Security Affairs, who leads the
council, and to the Assistant to the President for Homeland Security.
Furthermore, Executive Order 13231 identifies the Assistant to the
President for National Security Affairs as a member of the President‘s
Critical Infrastructure Protection Board.
Office of Science and Technology Policy:
The Office of Science and Technology Policy was established by the
National Science and Technology Policy, Organization, and Priorities
Act of 1976. PDD 63 designates OSTP as the lead agency for research and
development for the government through the National Science and
Technology Council. Recently, Executive Order 13231 created a standing
committee for research and development, which is to be chaired by a
designee of the Director of OSTP. This office serves as the primary
advisor to the President for policy formulation and budget development
on all questions in which science and technology are important
elements. The office also leads an interagency effort to develop and
implement science and technology policies and budgets that are
coordinated across federal agencies. Its Director serves as the
Assistant to the President for Science and Technology. In this
capacity, the Director manages the National Security and Technology
Council and the President‘s Council of Advisors on Science and
Technology.
OSTP‘s Technology Division is responsible for the following: all of
OSTP‘s activities in the area of emergency-preparedness
telecommunications; the NCS; the NSTAC; continuity of government
programs; and infrastructure protection programs. In addition, this
division works closely with the office‘s Science Division on national
security issues. OSTP‘s Assistant Director for Homeland and National
Security fills the post of Senior Director for Research and Development
within the Office of Homeland Security. OSTP‘s official
responsibilities for protecting the domestic infrastructure derive from
both statute and executive order. As a result, OSTP coordinates between
the military and nonmilitary sectors within the government, between the
technical and the policy-making communities, and between the federal
government and state and local governments.
National Economic Council:
PDD 63 tasked NEC to review sector plans and the national plan for CIP
to ensure that they align with the President‘s economic goals.
Additionally, Executive Order 13231 calls on a designee of the chairman
of NEC to work in coordination with the chair of the Private Sector and
State and Local Government Outreach Committee of the President‘s
Critical Infrastructure Protection Board. NEC was established in 1993
within the Office of Policy Development within the Executive Office of
the President to advise the President on matters related to U.S. and
global economic policy. By executive order, NEC has four principal
functions: to coordinate policy-making for domestic and international
economic issues, to coordinate economic policy advice for the
President, to ensure that policy decisions and programs are consistent
with the President‘s economic goals, and to monitor implementation of
the President‘s economic policy agenda.
Office of Management and Budget:
Executive Order 13231 calls on a designee of the Director of OMB to
chair the Executive Branch Information Systems Security Committee of
the President‘s Critical Infrastructure Protection Board. OMB
evaluates, formulates, and coordinates budget and management policies
and objectives among federal departments and agencies, including that
for information security. Some of its primary responsibilities are to
assist the President in developing and maintaining effective
government, developing efficient coordinating mechanisms to expand
interagency cooperation, and developing regulatory reform proposals and
programs. As part of the Floyd D. Spence National Defense Authorization
Act for Fiscal Year 2001, Congress enacted the Government Information
Security Reform Act, tasking OMB with responsibility for establishing
and overseeing policies, standards, and guidelines for information
security. OMB is also required to submit an annual report to the
Congress summarizing results of agencies‘ evaluations of their
information security programs.
President‘s Critical Infrastructure Protection Board:
The Special Advisor to the President for Cyberspace Security heads the
Office of Cyberspace Security as set forth by Executive Order 13231.
The advisor works in close coordination and partnership with the
private sector, which owns and operates the vast majority of America‘s
critical infrastructure. The special advisor also reports to the
Assistant to the President for Homeland Security and to the Assistant
to the President for National Security Affairs. Executive Order 13231
established the President‘s Critical Infrastructure Protection Board to
coordinate the federal efforts and programs associated with protecting
our nation‘s critical infrastructures. The Special Advisor to the
President for Cyberspace Security chairs the board. Executive Order
13231 tasks the board with recommending policies and coordinating
programs for protecting information systems for CIP. The executive
order also established 10 standing committees to support the board‘s
work on a wide range of critical information infrastructure efforts.
The board is also intended to coordinate with the Office of Homeland
Security in activities relating to the protection of and recovery from
attacks against information systems for critical infrastructure,
including emergency preparedness communications that were assigned to
the Office of Homeland Security by Executive Order 13228 of October 8,
2001.
Chief Information Officers Council:
The Chief Information Officers (CIO) Council was established by
Executive Order 13011 in 1996. As set forth in Executive Order 13231,
the vice chair of the CIO Council serves as an official member of the
President‘s Critical Infrastructure Protection Board and sits on the
board‘s coordination committee. The CIO Council serves as the principal
interagency forum for improving practices in the design, modernization,
use, sharing, and performance of federal government agency information
resources. The council‘s role includes developing recommendations for
IT management policies, procedures, and standards; identifying
opportunities to share information resources; and assessing and
addressing the needs of the federal government‘s IT workforce.
Membership on the council comprises CIOs and deputy CIOs from 28
federal executive agencies. The CIO Council serves as a focal point for
coordinating challenges that cross agency boundaries.
National Communications System:
Created by Executive Order 12472, the National Communications System‘s
CIP mission is to assure the reliability and availability of national
security and emergency preparedness (NS/EP) telecommunications. Its
mission includes, but it is not necessarily limited to, responsibility
for (1) assuring the government‘s ability to receive priority services
for NS/EP purposes in current and future telecommunications networks by
conducting research and development and participating in national and
international standards bodies and (2) operationally coordinating with
industry for protecting and restoring NS/EP services in an all-hazards
environment. NCS‘s mission is externally focused on the reliability and
availability of the public telecommunications network. This mission is
carried out within government through the NS/EP Coordinating Committee,
with industry on a policy level in coordination with NSTAC, and
operationally through the National Coordinating Center for
Telecommunications (NCC) and through its participation in national and
international standards bodies. Furthermore, in January 2000, NCC was
designated an ISAC for telecommunications under the provisions of PDD
63.
NCS reports to the Executive Office of the President-NSC for policy,
OSTP for operations, and OMB for budget through the Secretary of
Defense, who is the Executive Agent for NCS. NCS‘s NS/EP Coordinating
Committee is a standing committee under the President‘s Critical
Infrastructure Protection Board. Externally, NCS coordinates with the
Office of Cyberspace Security; CIAO; the National Telecommunications
and Information Administration; the National Infrastructure Protection
Center (NIPC); the General Service Administration‘s (GSA) Federal
Computer Incident Response Center (FedCIRC); the Department of Energy
(including several of the laboratories); the Department of
Transportation (DOT), industry members of the National Coordinating
Center for Telecommunications; ISACs; and numerous Department of
Defense (DOD) organizations.
Federal Communications Commission:
The Federal Communications Commission (FCC) is an independent U.S.
government agency and a nonvoting member of the President‘s Critical
Infrastructure Protection Board. FCC is composed of five commissioners
appointed by the President with the advice and consent of the Senate.
FCC has the authority to define telecommunications service priorities
for national security emergency preparedness when the President has not
invoked his wartime authority. In addition, one designated commissioner
is assigned responsibility for advising and representing the commission
regarding matters of emergency-preparedness and national defense,
including national emergency plans and emergency preparedness of
private-sector communications organizations and continuity of FCC
functions. Recently the commission established an internal advisory
body, the FCC‘s Homeland Security Policy Council, comprising senior
managers from each of the FCC‘s policy, licensing, and operational
bureaus and offices. The Homeland Security Policy Council, which serves
as an advisory council to the chairman on homeland security matters
related to the communications industry, is headed by and reports
directly to the chairman‘s chief of staff. FCC establishes the rules
under which the Emergency Alert System (EAS) operates. EAS provides a
means of addressing the American people in the event of national
emergency. Broadcast stations, cable systems, and participating
satellite programmers install equipment that can transmit a
presidential message to the public. FCC has created two Federal
Advisory Committees to facilitate discussions on infrastructure
protection. The Network Reliability and Interoperability Council and
the Media Security and Reliability Council advise the commission on
incident prevention, system restoration, reliability and public safety
issues related to the communications industries.
U.S. Department of Commerce:
PDD 63 assigned Commerce as the lead sector liaison for information and
communications. Additionally, PDD 63 established a national plan
coordination staff, which became the Critical Infrastructure Assurance
Office, an interagency office housed in Commerce that is responsible
for planning infrastructure protection efforts. Recently, Executive
Order 13231 assigned the Secretary of Commerce to the President‘s
Critical Infrastructure Protection Board and established a standing
committee for private-sector and state and local government outreach,
which is chaired by a designee from Commerce. According to agency
officials and federal documents, the organizations with critical
infrastructure protection responsibilities are as follows:
* the Critical Infrastructure Assurance Office (CIAO),
* the National Institute of Standards and Technology (NIST),
* the National Information Assurance Partnership (NIAP), and:
* the National Telecommunications and Information Administration
(NTIA).
Critical Infrastructure Assurance Office:
As established under PDD 63, CIAO performs a variety of CIP functions
in three major areas: (1) educating the private sector on the
importance of CIP, (2) preparing the national CIP strategy, and (3)
assisting federal civilian agencies and departments in determining
their dependencies on critical infrastructures.
First, CIAO works to educate industry representatives that critical
infrastructure assurance must be addressed through corporate risk
management activities. Its efforts focus on the critical infrastructure
industries (e.g., information and communications, banking and finance,
transportation, energy, and water supply), particularly the corporate
boards and chief executive officers who are responsible for setting
policy and allocating resources for risk management. In addition to
infrastructure owners and operators, this office‘s awareness and
outreach efforts also target members of the audit, insurance, and
investment communities. CIAO‘s goal is to educate these groups on the
importance of assuring effective corporate operations, accountability,
and information security.
Second, CIAO is tasked with working with government and industry to
prepare the national strategy for CIP, which is due for completion in
2002. This strategy will serve as the basis for CIP legislative and
public policy reforms, where needed. The development of the national
strategy for CIP is to also serve as part of an ongoing process in
which government and industry will continuously modify and refine their
efforts to ensure the safety of critical information systems.
Third, CIAO is responsible for assisting civilian federal agencies and
departments in analyzing their dependencies on critical
infrastructures. This mission is conducted under Project Matrix, a
program designed to identify and characterize the assets and associated
infrastructure dependencies and interdependencies that the government
requires to fulfill its most critical responsibilities. Project Matrix
involves a three-step process in which each federal civilian agency
identifies (1) its critical assets; (2) other federal government
assets, systems, and networks on which those critical assets depend to
operate; and (3) all associated dependencies on privately owned and
operated critical infrastructures.
Additional cyber CIP duties were added to CIAO under Executive Order
13231, including having its director serve as a member of and advisor
to the President‘s Critical Infrastructure Protection Board. CIAO will
also support the activities of the National Infrastructure Advisory
Council, a group of 30 representatives from private industry and state
and local government that will advise the President on matters relating
to cybersecurity and CIP. In addition, CIAO will administer a Homeland
Security Information Technology and Evaluation Program to study and
develop methods to improve information sharing among federal agencies
and state and local governments.
CIAO‘s reported CIP funding to support these activities for fiscal
years 2000 through 2002 has been about $4.4 million, $4.8 million, and
$6.4 million, respectively.
National Institute of Standards and Technology:
NIST is a nonregulatory federal agency within Commerce‘s Technology
Administration that works with industry, federal agencies, testing
organizations, standards groups, academia, and private-sector users to
improve critical infrastructure security. Policy guidance that directs
NIST‘s CIP-related activities includes Executive Order 13231, the
Computer Security Act of 1987, the Government Information Security
Reform Act of 2001, and OMB‘s Circular A-130, Appendix III.
First, NIST supports federal departments and agencies by developing
security standards and guidelines for sensitive federal systems as
defined under the Computer Security Act of 1947. For example, the
institute works with industry to develop voluntary industry standards
that support cybersecurity, interoperability, and data exchange. Such
standards are to be used to support the operation of the Internet. NIST
participants formulate public specifications that assist industry to
improve the security and competitiveness of commercial products and to
inform consumers.
Second, NIST also helps to improve the security of commercial IT
products that provide the communications and information processing
backbone of the nation‘s infrastructure. NIST develops tests, tools,
profiles, implementation methods, and recommendations for timely and
cost-effective testing programs. Validation programs developed by NIST
are conducted in cooperation with private-sector testing laboratories.
NIST coordinates with a wide variety of IT security organizations in
the federal government and the private sector. In the federal
government, major constituents and collaborators include OMB, the
National Security Agency, the General Services Administration, and the
departments of Treasury and Health and Human Services. Key interactions
include the Federal Public Key Infrastructure Steering Committee and
its working groups, the Center for Internet Security, the Federal
Computer Security Managers‘ Forum, the Federal CIO Council, the
Committee for National Security, and the Executive Branch Information
Systems Security. Examples of IT industry associations with which NIST
works include the banking standards community and the Smart Card
Consortia. Some key industry collaborations include those with Intel,
Microsoft, RSA, IBM, Counterpane Systems, Motorola, Entrust, and
Certicom.
NIST‘s CIP funding to support these activities for 2002 and 2003 has
been $11 million and $15 million, respectively.
National Information Assurance Partnership:
NIAP is a U.S. government initiative designed to meet the security
testing, evaluation, and assessment needs of IT producers and
consumers. NIAP collaborates with NIST and the National Security Agency
in fulfilling their respective responsibilities under the Computer
Security Act of 1987. The partnership, originated in 1997, promotes the
development of technical security requirements for IT products and
systems and appropriate metrics for evaluating those products and
systems. NIAP collaborates with government agencies and industry in a
variety of areas to help meet current and future IT security challenges
affecting the nation‘s critical information infrastructure. One recent
NIAP initiative under way is collaborating with industry in developing
protection profiles for key information technologies supporting
homeland defense.
National Telecommunications and Information Administration:
As the lead agency for the information and communications
infrastructure sector under PDD 63, Commerce was assigned
responsibility for economic security aspects of CIP, which it delegated
to NTIA. To fulfill its mission, NTIA conducts five major activities.
First, it works to raise the information and communications sector‘s
awareness of cyber vulnerabilities and risks. It then assists this
sector in eliminating or mitigating these vulnerabilities. Third, it
facilitates the establishment and operation of the information and
communications sectors‘ ISACs. Fourth, it develops partnerships with
other countries and international organizations to achieve compatible
security policies and strategies. Finally, it provides industry with
results from government-based research and development efforts
regarding CIP.
To fulfill these responsibilities, NTIA coordinates with a variety of
organizations within the government and the private sector. Within
Commerce, NTIA coordinates primarily with the CIAO and NIST. Within the
federal government, NTIA coordinates with the chair of the President‘s
Critical Infrastructure Protection Board. Within the private sector,
NTIA works with three trade associations that serve as sector
coordinators: the Information Technology Association of America, the
Telecommunications Industry Association, and the United States Telecom
Association.
U.S. Department of Defense:
PDD 63 identifies national defense as a special function related to CIP
and designates DOD as the lead agency for this function. Recently,
Executive Order 13231 assigned the Secretary of Defense to the
President‘s Critical Infrastructure Protection Board and established
three standing committees that will be chaired or co-chaired by DOD,
including the Committee on National Security Systems, the Incident
Response Coordination Committee, and the Physical Security Committee.
According to agency officials and federal documents, the organizations
with critical infrastructure protection responsibilities are as
follows:
* the Joint Staff;
* the Office of the Assistant Secretary of Defense, Command, Control,
Communications, and Intelligence (ASD/C3I);
* the Defense Advanced Research Projects Agency (DARPA);
* the Defense Threat Reduction Agency (DTRA);
* the National Security Agency (NSA);
* the Defense Intelligence Agency (DIA); and:
* the Joint Task Force for Computer Network Operations (JTF-CNO).
Joint Staff:
The Joint Chiefs of Staff serve as the primary military advisors to the
President and, regarding CIP, the chairman of the Joint Chiefs of Staff
is responsible for ensuring that critical assets are identified for
executing deliberate and crisis action plans and planning for
mitigating their loss or disruption. Within the Joint Chiefs of Staff,
the Joint Staff serves as special function representative for military
plans and operations within the DOD CIP Integration Staff. The Joint
Staff is divided into eight directorates: J1-Manpower; J2-Intelligence;
J3-Operations; J4-Logistics; J5-Strategic Plans; J6-Command, Control,
Communications, and Computers (C4) Systems; J7-Operational Plans; and
J8-Force Structure. The J5 CIP office governs the physical aspects of
CIP, and the J6 directorate governs the cyber aspects and
responsibilities for the Joint Staff.
DOD‘s Joint Staff coordinates with several organizations, including
Combatant Commands; Services; various government agencies; the
President‘s Critical Infrastructure Protection Board, chaired by the
Office of Cyberspace Security; the CIAO at Commerce; the NIPC in the
FBI; the ASD/C3I; DOT, Office of Security and Intelligence; Office of
Homeland Security, Senior Director-Protection and Prevention; the
National Security Incident Response Center, chaired by the National
Security Agency; the Defense Information Systems Agency; DOD‘s Computer
Emergency Response Teams (CERT); the Joint Task Force Computer Network
Defense; FedCIRC; and the Carnegie Mellon CERT® Coordination Center.
The Joint Staff did not receive a specific CIP appropriation before the
Defense Emergency Response Funding, which was provided in response to
the attacks on September 11. The Joint Staff received $500,000 for CIP
through the Defense Emergency Response Funding that was specifically
earmarked for CIP in addition to funds not specifically earmarked for
CIP.
Office of the Assistant Secretary of Defense, Command, Control,
Communications and Intelligence:
In accordance with PDD 63, DOD is responsible for identifying the
national defense infrastructure and working with the national CIP
organizational structure and the private sector to ensure its
protection. ASD/C3I manages DOD‘s CIP program and is responsible for
its CIP policy development. DOD‘s CIP program is developing to ensure
that critical cyber and physical infrastructure assets that DOD depends
on are available to mobilize, deploy, and sustain military operations.
ASD/C3I (CIP) develops CIP policy, advocates funding, and oversees
implementation of the CIP program. This office oversees DOD‘s Critical
Infrastructure Protection Integration Staff (CIPIS). CIPIS receives
input from DOD‘s defense sectors, lead components, and special function
components.
Defense Advanced Research Projects Agency:
Executive Order 13231 directs DARPA to work in coordination with the
National Science Foundation as members of the President‘s Critical
Infrastructure Protection Board‘s Committee on Research and
Development. In this capacity, DARPA is to assist with federal
government research and development for protecting critical
infrastructure information systems, including emergency preparedness
communications and the physical assets that support such systems, and
ensure that government activities are coordinated with corporations,
universities, federally funded research centers, and national
laboratories. DARPA‘s Information Technology Office performs research
on information technologies for use in advanced defense applications.
The office‘s mission is to provide the networking and computing
hardware, software, systems, and management technologies vital to
ensuring DOD‘s military superiority. The office is addressing IT issues
of strategic concern, such as security, interoperability, and
survivability technologies.
Defense Threat Reduction Agency:
Directed by PDD 63, DTRA‘s CIP-related efforts encompass technology
development and combat support. This agency‘s technology development
efforts include managing the development of the National Infrastructure
Simulation and Analysis Center (NISAC) and the technical development
under its Mission Degradation Analysis (MIDAS) program. NISAC is a
joint effort between DTRA and Department of Energy‘s (DOE) national
laboratories to develop an architecture to simulate and analyze the
nation‘s civilian infrastructures. The MIDAS program is a research
effort to determine DOD mission degradation due to degradation in
supporting infrastructures. DTRA‘s combat support efforts include
Balanced Survivability Assessments, Joint Staff Integrated
Vulnerability Assessments, and the Chemical-Biological Sea Port
Protection Analysis.
DITRA‘s director reports directly to the Assistant to the Secretary of
Defense, Nuclear Chemical Biological. Regarding CIP research and
development, DTRA coordinates with internal DOD offices and DOE, and
has begun to coordinate with the Office of Homeland Security in
managing NISAC.
DTRA received appropriations designated for some of its CIP and CIP-
related projects for fiscal years 2000, 2001, and 2002, but funding for
the remaining CIP efforts were funded through the agency‘s budgeting
process. MIDAS received the following amounts in appropriations: fiscal
year 2000, $1.7 million; fiscal year 2001, $2.4 million; and fiscal
year 2002, $2.7 million. The Critical Infrastructure Protection Act of
2001, which was enacted as part of the USA PATRIOT Act, authorized $20
million for NISAC for fiscal year 2002. The Balanced Survivability
Assessments effort received $8.9 million in fiscal year 2000, $15.8
million in fiscal year 2001, and $17.6 million in fiscal year 2002.
National Security Agency:
NSA‘s primary CIP mission is protecting national security
telecommunications and information systems. The Information Assurance
Director falls under the purview of the Director, NSA, who is
responsible for fulfilling NSA‘s CIP duties. NSA‘s IAD performs these
duties through assessing the vulnerability of the security of
information systems, assessing operations security; evaluating and
assessing security measures in national security systems; and
addressing the threat, detection, reaction, warning, and response to
intrusions into national security systems.
Furthermore, the National Security Incident Response Center is NSA‘s
focal point for addressing computer incidents affecting the U.S.
government‘s national security information systems. The center‘s CIP
duties include providing warnings of threats against U.S. information
systems in a timely manner and providing assistance to defense and
civil agencies in isolating, containing, and resolving incidents that
threaten national security systems. The center also assists the JTF-
CNO, FedCIRC, and NIPC in isolating, containing, and resolving attacks
and unauthorized intrusions threatening national security systems.
NSIRC coordinates its incident reporting and vulnerability assessments
with these entities for attacks and intrusions directed against
national security systems. The center‘s vulnerability assessments are
used to develop hardware and software computer network defenses. NSA
works with NIST to evaluate commercial off-the-shelf products. In
addition, NSA coordinates with the President‘s Critical Infrastructure
Protection Board, the Committee for National Security Systems, and ASD/
C3I.
Defense Intelligence Agency:
DIA‘s CIP mission includes collecting and analyzing intelligence data
concerning threats to and vulnerabilities of critical infrastructures.
A senior staff member of the agency serves as the DOD Intelligence,
Surveillance, and Reconnaissance (ISR) CIAO, as well as the
Intelligence Special Function Coordinator for all DOD sectors. The ISR
CIAO is responsible for developing the ISR Sector Assurance Plan and
the ISR Sector Registered Asset List of identified critical assets.
These roles are a key element of the DOD-wide CIP program led by ASD/
C3I.
DIA received appropriations for some of its CIP and CIP-related
projects for fiscal years 2000, 2001, and 2002, but funding for the
remaining CIP efforts were funded through the DIA‘s budgeting process.
Joint Task Force--Computer Network Operations:
JTF-CNO, the United States Space Command‘s operational component for
computer network operations, is the primary DOD organization for
coordinating and directing internal activities to detect computer-based
attacks, contain damage, and restore computer functionality when
disruptions occur. JTF-CNO leverages the existing intrusion detection
capabilities of the unified commands, its components, and DOD and non-
DOD agencies. JTF-CNO receives intrusion data from these sources and
integrates these data with intelligence, operational, and technical
data. The 2001 JTF-CNO expansion is to allow it to increase JTF-CNO‘s
ability in (1) performing preventative activities, such as conducting
security reviews and issuing vulnerability alerts; (2) coordinating and
monitoring detection activities performed by components, including
monitoring automated intrusion-detection systems; (3) investigating
and diagnosing incidents; and (4) handling and responding to events,
which involves disseminating information and providing technical
assistance to system administrators so that they can appropriately
respond to cyberattacks. JTF-CNO maintains a relationship with CERT®/
CC, NIPC, and FedCIRC by participating in joint technical exchanges,
working groups, and countermeasure development teams.
Director of Central Intelligence:
PDD 63 identifies intelligence as a special function related to CIP and
designates the Central Intelligence Agency (CIA) as the lead agency for
this function. Recently, Executive Order 13231 assigned the Director of
Central Intelligence to the President‘s Critical Infrastructure
Protection Board. Additionally, the National Security Act of 1947
designates the Director of Central Intelligence as the primary adviser
on national foreign intelligence to the President and the National
Security Council, as well as to officials who make and execute U.S.
national security policy.
According to agency officials and federal documents, the organizations
with critical infrastructure protection responsibilities are as
follows:
* the Central Intelligence Agency (CIA),
* the National Intelligence Council (NIC), and:
* the National Foreign Intelligence Board (NFIB).
Central Intelligence Agency:
The CIA‘s mission is to provide accurate, comprehensive, and timely
intelligence on national security topics. PDD 63 directed the CIA to
enhance its capabilities to provide intelligence support for threat
assessment and warning and to engage in incident response as needed.
Since that time, the agency reports that it has made improvements in
analytic capabilities and intragovernment coordination regarding
mutual analysis, information sharing, and computer incident responses.
In addition, the agency established the Information Operations Center
to address the growing cyberthreats. CIA involvement in protecting the
information infrastructure also extends to participating with other
federal agencies and the private sector. In particular, the CIA has
assisted the FBI‘s NIPC by providing technical and analytic support and
disseminating cyberthreat assessments. In addition, CIA has
collaborated with NIPC and others in the intelligence community to
develop and present outreach briefings on foreign cyberthreats to key
infrastructure stakeholders, including elements of the private sector.
CIA collects foreign intelligence information through a variety of
clandestine and overt means. First, the Directorate of Operations has
primary responsibility for the clandestine collection of foreign
intelligence. This directorate is divided administratively into area
divisions, as well as several staffs, centers, and one division that
deals with transnational issues. Second, the Directorate of Science and
Technology (DS&T) provides a wide range of collection support to the
CIA and the intelligence community, including human source intelligence
collection efforts and agent communications. This directorate supports
the National Imagery and Mapping Agency with a cadre of affiliated
personnel who serve in key technical positions. Open-source collection
(collection of information from foreign radio, television, newspapers,
magazines and journals, commercial databases, etc.) is also
administered in the DS&T. In addition, this directorate provides
collection support for signal intelligence and measurement and
signature intelligence.
Once the intelligence has been collected, CIA analysts produce a
variety of finished intelligence products that support national-level
policy deliberations. The Directorate of Intelligence serves as the
executive agency for meeting the bulk of CIA‘s finished intelligence
products for the policy-making community through a number of
suboffices, including the Office of Russian and European Analysis; the
Office of Near Eastern, South Asian, and African Analysis; the Office
of Asian Pacific and Latin American Analysis; and the Office of
Transnational Issues. In addition, DS&T produces a number of
unclassified products derived from open-source materials.
National Intelligence Council:
The National Intelligence Council serves as a senior advisory group to
the DCI in his capacity as leader of the intelligence community. This
council is responsible for determining and promulgating the
intelligence community‘s judgments on issues of importance to
policymakers. Consequently, most of its publications are produced by
interagency teams and formally coordinated with all intelligence
agencies possessing relevant expertise.
NIC comprises national intelligence officers, experts drawn from all
elements of the intelligence community, from outside of government in
academia, and from the private sector. National intelligence officers
provide mid-and long-term strategic thinking and production by
concentrating on substantive problems of particular geographic regions
of the world and of particular functional areas (economic and global
issues, general-purpose forces, science and technology, strategic
programs and nuclear proliferation, and warning). NIC supervises the
production of national intelligence estimates and publications, briefs
senior policymakers, and focuses intelligence community collection and
analytic resources on priority issues. In particular, this council has
produced several documents related to CIP, including a classified 2001
national intelligence estimate on cyberthreats.
National Foreign Intelligence Board:
The National Foreign Intelligence Board, an advisory board to the
Director of Central Intelligence, has existed in one form or another
since the founding of the CIA in 1947. The board includes
representatives from all of the agencies that make up the intelligence
community (including NIC, CIA, DOD, State, Treasury, FBI, and DOE). In
particular, the board is responsible for producing, reviewing, and
coordinating national foreign intelligence, and the bulk of its work is
to review and approve national intelligence estimates that are created
by NIC.
U.S. Department of Energy:
PDD 63 assigned DOE as the lead sector liaison for the national energy
infrastructure, including electric power and oil and gas production and
storage. Recently, Executive Order 13231 assigned the Secretary of
Energy to the President‘s Critical Infrastructure Protection Board and
established a standing committee for infrastructure interdependencies,
which is co-chaired by designees from DOE and DOT. According to agency
officials and federal documents, the organizations with critical
infrastructure protection responsibilities are as follows:
* the Office of Energy Assurance (OEA) and:
* the National Laboratories.
Office of Energy Assurance:
According to its officials, DOE is currently restructuring the offices
that handle security and emergency management for both physical-and
cyber-based CIP under the OEA. This office will work with the states
and industry to allow for a secure and reliable flow of energy to
America‘s home, industry, and public-service facilities, as well as the
transportation system, in direct support of the President‘s national
energy policy and PDD 63.
Three offices will carry out OEA‘s functions. First, the Office of
Energy Reliability coordinates DOE policy development and
intergovernmental and interagency activities related to the protection
and reliability of the national energy infrastructure. This office will
be responsible for developing and maintaining a national strategy for
energy assurance in support of the President‘s national energy policy.
It will also provide leadership for intradepartmental energy-assurance
activities and represent DOE in interagency, intergovernmental, and
other energy-assurance-related forums. The office will develop a
national tracking and reporting process to assess the ongoing
effectiveness of the national strategy to identify shortfalls and
develop corrective action plans.
Second, the Office of Energy Emergencies will work to ensure that DOE
can support state and industry efforts to plan for, respond to, and
mitigate actions that disrupt the energy infrastructure. The office
will identify potential threats to the national energy infrastructure
and communicate information about them to the appropriate authorities
to facilitate emergency planning and response. This communications and
liaison network will also be maintained during emergencies. The office
will develop plans for federal responses to energy emergencies. In
addition, the office will assist states and industry by providing
technical and professional assistance in the development, testing, and
revision of their own emergency response plans.
Third, the Office of Critical Infrastructure Protection will work with
national energy organizations within the government and private
industry in developing the capability required for protecting the
nation‘s energy infrastructure. The office will assess the
vulnerability of the national energy infrastructure to cyber or
physical disruptions and identify technologies and capabilities that
can protect our nation‘s critical energy infrastructures and facilitate
their use by the private sector and federal agencies. The office will
develop and maintain interdependency models and planning tools to
assist federal and state government and private industry in
anticipating system failures and understanding the cascading effects of
single point failures (system failures experienced at centralized
network hubs). In addition, the office will coordinate national
laboratory research and development programs related to mitigating
national energy infrastructure vulnerabilities. This office will be
DOE‘s representative to the Critical Infrastructure Coordination Group
and the National Infrastructure Assurance Council.
National Laboratories:
DOE funds several national laboratories that conduct CIP-related
research. For example, Argonne Laboratories has been working on CIP
since 1997 by performing system mapping activities and vulnerability
testing. Also, Sandia National Laboratories has established the
Information Design Assurance Red Team (IDART). The team works in the
areas of information operations and security of critical
infrastructures. IDART assessments evaluate projects and programs for
system vulnerabilities in the areas of information warfare, information
assurance, and information security.
U.S. Department of Justice:
PDD 63 assigned Justice as the lead sector liaison for emergency law
enforcement services and for the special function of law enforcement
and internal security. Recently, Executive Order 13231 assigned the
Attorney General or designee to the President‘s Critical Infrastructure
Protection Board and co-chair of the Incident Response Coordination and
Physical Security committees. According to agency officials and federal
documents, the organizations with critical infrastructure protection
responsibilities are as follows:
* the Computer Crime and Intellectual Property Section (CCIPS),
* the National Infrastructure Protection Center (NIPC),
* the National Counter Intelligence Executive (NCIX), and:
* the Cyber Crime Division.
Computer Crime and Intellectual Property Section:
Within the Criminal Division, the CCIPS investigates and prosecutes
cyberattacks on our nation‘s critical infrastructure. This section also
addresses policy and legislation issues such as information sharing
among the military, the intelligence community, law enforcement,
civilian agencies and the private sector, as well as government network
intrusion detection and strategic planning. CCIPS coordinates with DOD,
CIAO, NIPC, NSC, and interagency groups that work on CIP issues,
including work on the national plan to defend cyberspace and the cyber
portion of the 5-year counterterrorism plan.
National Infrastructure Protection Center:
NIPC, a multiagency organization located within the FBI, detects,
analyzes, and warns of cyberthreats to and/or attacks on the
infrastructure, should they occur. NIPC‘s mission is based on
authorities given in Executive Order 13231 and PDD 63. In addition, the
center is responsible for accomplishing the FBI‘s role as lead agency
for sector liaison for the Emergency Law Enforcement Services Sector.
As a sector liaison, NIPC provides law enforcement response for
cyberthreats and crimes involving or affecting critical
infrastructures. NIPC also facilitates and coordinates the federal
government‘s response to cyber incidents, mitigating attacks, and
investigating threats, as well as monitoring reconstitution efforts.
NIPC regularly coordinates with federal, state, local, and law
enforcement and intelligence agencies resident in the NIPC: FBI, DOD,
CIA, NSA, the United States Secret Service (USSS), Commerce, DOT, DOE,
and other federal agencies on the President‘s Critical Infrastructure
Protection Board, as well as Canada and Great Britain.
In addition, NIPC runs the National InfraGard program, which is a
cooperative undertaking between the federal government and an
association of businesses, academic institutions, state and local law
enforcement agencies, and other participants dedicated to increasing
the security of critical infrastructures. InfraGard‘s goal is to enable
the flow of information so that the owners and operators of
infrastructure assets, the majority of which are from the private
sector, can better protect themselves and so that the U.S. government
can better discharge its law enforcement and national security
responsibilities. InfraGard provides members a forum for education and
training on infrastructure vulnerabilities and protection measures and
with threat advisories, alerts, and warnings.
NIPC comprises three sections: (1) the Computer Investigations and
Operations Section, which is the operational and response arm and is
responsible for designing, developing, implementing, and managing
automated tools NIPC uses to collect, analyze, share, and distribute
information; and coordinating computer investigations conducted by the
FBI‘s 56 field offices and approximately 400 sublocations throughout
the country; (2) the Analysis and Warning Section, which is the
indication and warning arm, which provides support during computer
intrusion investigations; and (3) the Training, Outreach, and Strategy
Section, which provides outreach to the private sector and to local law
enforcement, and training and exercise programs for cyber and
infrastructure protection investigators within the FBI and other
agencies. NIPC‘s funding to support these activities for fiscal years
2000 through 2002 has been $21 million, $26 million, and $72 million,
respectively.
National Counter Intelligence Executive:
Executive Order 13231 requires NCIX to coordinate with the President‘s
Critical Infrastructure Protection Board to address threats from
hostile foreign intelligence services to programs within the board‘s
purview. Created by PDD 75, ’Counterintelligence for the 21st Century,“
NCIX is appointed by, and reports to, the Director of the FBI, who is
the chair of the Counterintelligence Board of Directors. NCIX serves as
the substantive leader of national-level counterintelligence,
identifying critical assets, producing strategic counterintelligence
analyses, developing a national threat assessment, formulating a
national counterintelligence strategy, creating an integrated
counterintelligence budget, and developing an agenda of program reviews
and evaluations.
Cyber Crime Division:
A recent restructuring within the FBI has resulted in a new division
called the Cyber Crime Division. The mission of this division has not
been finalized.
U.S. Department of Transportation:
PDD 63 assigned DOT as the lead sector liaison for aviation, highways,
mass transit, pipelines, rail, and waterborne commerce. Recently,
Executive Order 13231 assigned the Secretary of Transportation or
designee to the President‘s Critical Infrastructure Protection Board
and as co-chair of the Infrastructure Independencies Committee.
According to officials, DOT is in the process of establishing the
Transportation Security Administration, which was required by the
Aviation and Transportation Security Act (P.L. 107-71, Nov. 19, 2001).
According to its officials, the department is still determining how CIP
responsibilities might be aligned under the new organization.
Currently, the Office of Intelligence and Security (OIS) is
Transportation‘s lead office in fulfilling its national CIP
responsibilities.
Office of Intelligence and Security:
Within the Office of the Secretary of Transportation, OIS analyzes,
develops, and coordinates departmental and national policies addressing
national defense, border security, and transportation infrastructure
assurance and protection issues. The office also coordinates with the
public and private sectors, international organizations, academia, and
interest groups regarding issues of infrastructure protection, national
defense, and drug and migrant interdiction, including serving as the
DOT CIP coordinator and sector liaison official under PDD 63 and its
lead for both PDD 62 and Executive Order 13231.
Outside DOT, OIS serves the secretary as the transportation sector
liaison official under PDD 63. To fulfill this role, OIS establishes
sector coordinators, such as the Association of American Railroads and
the Airport Councils International-North America, and is the primary
liaison with the Office of Homeland Security, the Office of Cyberspace
Security, the intelligence and law enforcement community, and DOD,
especially the U.S. Transportation Command. OIS is the transportation
sector‘s primary point of contact for all security issues, including
coordinating countermeasures and disseminating threat information.
Environmental Protection Agency:
PDD 63 designates the Environmental Protection Agency (EPA) as the lead
agency for sector liaison for protecting the water supply. Presidential
decision directives 39, 62, and 63 mandate EPA participation in a
federal response program specifically aimed at preparing for and
responding to terrorist incidents. According to agency officials, EPA
and the Office of Homeland Security are currently discussing also
designating EPA as the lead agency for sector liaison for chemical
preparedness. The Office of Water is the lead EPA office in fulfilling
EPA‘s national CIP responsibilities.
Office of Water:
As a result of concerns raised since September 11, the Office of Water
has expanded its focus to provide technical and financial assistance
for vulnerability assessments, and emergency response planning for
drinking water and wastewater utilities. This office also works to
improve knowledge and develop new technologies that will help utilities
protect assets and public health through cooperative research with
other federal agencies and nongovernmental organizations. Finally, the
Office of Water facilitates communications among utilities and
government officials at all levels regarding preparedness and response
activities involving the water sector. In this regard, the office
currently is reviewing the interdependencies between areas such as
energy, wastewater, and transportation.
Federal Emergency Management Agency:
PDD 63 assigned FEMA as the lead sector liaison for the emergency fire
service and continuity of government and the responsibility for
developing a national infrastructure assurance plan. In addition,
Executive Order 13231 assigned the Director of FEMA or designee to the
President‘s Critical Infrastructure Protection Board. FEMA supports
state and local emergency-management programs by funding emergency
planning, training emergency managers and local officials, conducting
large-scale tests, and sponsoring programs that teach the public how to
prepare for disasters. According to FEMA officials, the agency‘s CIP
roles are still evolving. In the past, FEMA focused primarily on
physical preparedness, response, and recovery. However, recently, FEMA
officials stated that the agency is exploring ways to better help local
officials regarding cyber issues. FEMA plans to handle cyberattacks
similar to the outreach done for natural disasters. According to agency
officials and federal documents, the organizations with critical
infrastructure protection responsibilities are as follows:
* the Office of National Preparedness (ONP),
* the United States Fire Administration (USFA), and:
* the Office of the Chief Information Officer (OCIO) and Information
Technology Services Directorate.
Office of National Preparedness:
Regarding CIP, the Office of National Preparedness provides leadership
in coordinating and facilitating all federal efforts to assist state
and local emergency-management and emergency-response organizations.
The assistance includes planning; training; equipment and exercises
necessary to build and sustain the capability to respond to any
emergency or disaster, including a terrorist incident involving a
weapon of mass destruction, as well as other natural or man-made
hazards. This office coordinates with the Office of Homeland Security
to develop a national strategy to protect against, respond to, and
recover from terrorist threats and incidents that affect the United
States and its citizens. To fulfill this goal, the Office of National
Preparedness coordinates, integrates, and implements all federal
programs and activities that develop, build, and maintain federal,
state, and local consequence management capabilities, including first
responders. It coordinates, implements, and administers a national
capability assurance program that employs standards, assessments,
exercises, lessons learned from disasters, and corrective actions to
ensure fully interoperable and continually validated federal, state,
and local response capabilities. This office also administers grant
programs for obtaining the needed levels of consequence management
capabilities at the state and local levels of government. ONP‘s
director, who has been designated as the FEMA/CIAO, oversees FEMA‘s PDD
63 sector responsibilities in support of emergency fire services and
continuity of government services.
United States Fire Administration:
The United States Fire Administration maintains a CIP information
center that serves as the information sharing and analysis center for
the emergency fire services sector as envisioned under PDD 63. The
center provides information to over 33,000 local fire and rescue
departments, who, as emergency first responders, have the
responsibility to prioritize the infrastructures that must be protected
from attack. The Fire Administration also maintains the national fire
data center, which proposes possible solutions and national priorities,
monitors resulting programs, and provides information to the public and
fire organizations.
Office of the Chief Information Officer and Information Technology
Services Directorate:
The Chief Information Officer (CIO) will support FEMA‘s CIAO in an
advisory capacity for all cyber infrastructure protection issues,
including those that affect the sectors for which FEMA is the lead
agency. As FEMA‘s executive agency for cybersecurity, the CIO will also
support FEMA‘s CIAO in meeting its PDD 63 responsibilities for internal
cyber infrastructure protection. Finally, the CIO will advise the
sector liaisons for emergency fire services and continuity of
government services on cyber infrastructure issues.
U.S. General Services Administration:
Recently, Executive Order 13231 assigned the Administrator of the GSA
to the President‘s Critical Infrastructure Protection Board. According
to agency officials and federal documents, the organizations with
critical infrastructure protection responsibilities are as follows:
* the Federal Computer Incident Response Center (FedCIRC) and:
* the Office of Acquisition Policy.
Federal Computer Incident Response Center:
In support of PDD 63 and the Government Information Security Reform
Act, FedCIRC provides a central focal point for computer incident
reporting, providing assistance to civilian agencies with independent
prevention and response. GSA administers FedCIRC through the Office of
Information Assurance and Critical Infrastructure Protection in the
Federal Technology Service. FedCIRC‘s mission is to ensure that the
government has critical services available to withstand or quickly
recover from attacks against its information resources.
FedCIRC provides the means for federal agencies to work together to
handle security incidents, share related information, solve common
security problems, collaborate with the President‘s Critical
Infrastructure Protection Board and the NIPC for planning future
infrastructure protection strategies and deal with criminal activities
that pose a threat to the critical information infrastructure. FedCIRC
distributes advisories and vulnerability notes via e-mail and on its
home page, as well as through a quarterly newsletter for information
security managers/officers and system administrators.
FedCIRC provides a computer security incident-response service to
collect and analyze incident information from all federal civilian
agencies. With this service, incidents can be rapidly analyzed so that
warnings are issued when a threat is discovered. In addition, FedCIRC
researches and analyzes computer incidents and vulnerabilities in
detail to identify potential risks to the information infrastructure
and works with the IT community to address and resolve these risks.
Beginning in June 2002, FedCIRC is offering a ’patch authentication and
dissemination capability“ to identify vendor patches needed to correct
known vulnerabilities in agency computer systems. FedCIRC will notify
agencies when vulnerabilities are identified, test the patches to
verify that they correct the intended vulnerabilities, and make them
available to agencies.
FedCIRC‘s funds specifically appropriated for cyber CIP for fiscal
years 2002 and 2003 were $10 million and $11 million, respectively.
Office of Acquisition Policy:
PDD 63 tasked GSA, in coordination with Commerce and DOD to assist
federal agencies in implementing best practices for information
assurance within their individual agencies. In addition, GSA is to
identify large procurements related to infrastructure assurance, study
whether the procurement process reflects the importance of
infrastructure protection and, if necessary, propose revisions to the
overall procurement process. The Office of Acquisition Policy has a
major role in developing, maintaining, issuing, and administering
guiding principles via the Federal Acquisition Regulation, which is
applicable to all executive branch agencies.
Department of Health and Human Services:
PDD 63 appoints the Department of Health and Human Services (HHS) as
the lead agency for sector liaison for protection of the health
services infrastructure. This role includes public health services and
prevention, surveillance, laboratory services, and personal health
services. In addition, Executive Order 13231 assigned the Secretary of
HHS or designee to the President‘s Critical Infrastructure Protection
Board. Agency officials stated that the department is experiencing many
changes and reorganizations and, as a result, is reexamining its
responsibilities for CIP. HHS‘s Deputy Secretary is charged with
overall responsibility for the CIP program, and the department‘s PDD 63
responsibilities are evolving. The Office of Emergency Preparedness
(OEP) is HHS‘s lead office in fulfilling its national CIP
responsibilities.
Office of Emergency Preparedness:
The Office of Emergency Preparedness has departmental responsibility
for managing and coordinating federal health; medical-and-health-
related social services; and recovery to major emergencies and
federally declared disasters, including natural disasters,
technological disasters, major transportation accidents, and
terrorism. As the lead federal agency for health and medical services
within the federal response plan, HHS designated this office to work in
partnership with FEMA and the federal interagency community. The Office
of Emergency Preparedness also directs and manages the National
Disaster Medical System, a cooperative asset-sharing partnership
between HHS, DOD, the Department of Veteran Affairs, FEMA, state and
local governments, private businesses, and civilian volunteers. The
office is also responsible for federal health and medical response to
terrorist acts involving weapons of mass destruction.
National Science Foundation:
The National Science Foundation (NSF) funds CIP-related research in
reliable and secure cyber infrastructures, including research on
computer and network security and assured information technologies
intended to provide sustainable communications and operations in the
aftermath of a catastrophic event. NSF‘s CIP-related funding also
includes research on decision science; emergency response and recovery;
and the interdependencies and vulnerabilities of physical
infrastructure systems, including electrical power, transportation,
energy, and water. Under Executive Order 13231, NSF participates in the
Critical Infrastructure Protection Board Research and Development
Standing Committee and Working Committee and supports studies at the
request of the President‘s Critical Infrastructure Protection Board.
Previously, the foundation participated in the interagency Critical
Infrastructure Protection Working Group established in response to PDD
63. NSF is involved in other research and development coordination
efforts relevant to CIP, including a leadership role in the Information
Technology Research and Development Working Group and interaction with
the Presidential Information Technology Advisory Committee. Its
responsibilities established under PDD 63 include education for a
cybersecurity workforce.
U.S. Department of State:
The Department of State advises the President on foreign policy and
relations. Accordingly, PDD 63 assigned State as the lead for the
special function of foreign affairs, and Executive Order 13231 assigned
the Secretary of State or his designee to the President‘s Critical
Infrastructure Protection Board, on which State serves as chair of the
International Affairs Committee. According to agency officials and
federal documents, the organizations with critical infrastructure
protection responsibilities are as follows:
* the Bureau of Resource Management (RM),
* the Bureau of Diplomatic Security (DS),
* the Bureau of Political-Military Affairs (PM),
* the Bureau of International Narcotics and Law Enforcement (INL), and:
* the Bureau of Economic and Business Affairs (EB).
Bureau of Resource Management:
The Assistant Secretary for Resource Management is responsible for
managing the formal department-wide CIP program plan by serving as
chair of the Department‘s Critical Infrastructure Protection Governance
Board. The Governance Board facilitates the decision making process on
policy and priorities relating to CIP within the Department. In
addition, the Resource Management Bureau is responsible for ensuring
that the formal departmentwide CIP program is managed and fully
resourced over a multiyear planning period to achieve the CIP
objectives of PDD 63 for both domestic and overseas operations.
Bureau of Diplomatic Security:
The Assistant Secretary for Diplomatic Security is the Department‘s
Chief Infrastructure Assurance Officer, who oversees the protection of
all other aspects of the department‘s critical infrastructure. The
Bureau of Diplomatic Security provides a secure environment for
conducting American diplomacy and promoting American interest
worldwide. Regarding CIP, this bureau develops and maintains effective
security programs for every U.S. embassy and consulate abroad. In
addition, the bureau monitors and analyzes intelligence on terrorist
activities and threats directed against Americans and U.S. diplomatic
facilities overseas, as well as threats against U.S. officials,
visiting foreign dignitaries, resident foreign diplomats, and foreign
missions in the United States.
Bureau of Political-Military Affairs:
The PM Bureau provides policy direction in the areas of international
security, military coordination and peace operations, and arms trade.
Its responsibilities include developing regional security policy,
security assistance, arms transfers, confidence and security building
measures, humanitarian de-mining programs, CIP, burden sharing, and
complex contingency operations and contingency planning. Regarding
federal CIP efforts, this bureau is responsible for coordinating and
implementing interagency and intradepartmental policy development. To
accomplish this goal, PM leads international cooperation on CIP issues.
In addition, Executive Order 13231 assigned this bureau responsibility
for the international CIP outreach program. PM‘s Assistant Secretary
serves as State‘s alternate representative on the President‘s Critical
Infrastructure Protection Board and chair of the Board‘s International
Affairs Committee.
Bureau of International Narcotics and Law Enforcement:
INL has specific responsibility for CIP-related issues involving
criminal misuse of information technology (e.g., cybercrime). This
bureau also coordinates and funds the response of federal law
enforcement to requests for training and technical assistance from
foreign partners, including assistance in fighting high-technology
crime, an important subset of protecting critical networked systems.
Bureau of Economic and Business Affairs:
The EB bureau is responsible for CIP-related issues in multilateral
economic organizations, such as the Organization for Economic
Cooperation and Development, and the Asia Pacific Economic Cooperation
forum. In such forums, the bureau works to develop internationally
accepted information technology security standards and best practices
and to ensure that government information security regimes include
input from private stockholders.
U.S. Department of the Treasury:
PDD 63 assigned Treasury as the lead sector liaison for banking and
finance. Recently, Executive Order 13231 designated the Secretary of
the Treasury a member of the President‘s Critical Infrastructure
Protection Board and created the Financial and Banking Information
Infrastructure Committee (FBIIC), which is chaired by the Treasury
Assistant Secretary for Financial Institutions. In addition, Executive
Order 13228 includes several policy coordinating committees that
regularly seek Treasury‘s input and cooperation. According to agency
officials and federal documents, the organizations with national or
multiagency cyber critical infrastructure protection responsibilities
are as follows:
* the Office of Financial Institutions (OFI),
* the United States Secret Service (USSS),
* the Office of the Comptroller of the Currency (OCC), and:
* the Office of Thrift Supervision (OTS).
Office of Financial Institutions:
Treasury‘s Assistant Secretary for the OFI acts as sector liaison to
the banking and finance sector on CIP. The office coordinates
Treasury‘s efforts regarding legislation and regulation for financial
institutions, federal agencies that regulate or insure financial
institutions, and securities markets. In addition, the assistant
secretary chairs FBIIC, which coordinates the federal financial
regulatory effort to develop a coordinated emergency response mechanism
in order to respond to cyber or physical attacks against the financial
sector. The OFI also participates on standing committees regarding
interdependencies, international outreach, and private-sector
outreach. FBIIC has also been tasked by the Office of Homeland Security
to examine the possible economic consequences of cyber or physical
attacks against these critical assets. Finally, this office is
consulting with private-sector representatives to develop a private-
sector-driven national strategy for infrastructure assurance, which
addresses not only cyberattacks, but also physical attacks against the
financial services sector.
United States Secret Service:
The United States Secret Service‘s role in CIP is to lead the research,
development, and implementation of effective and innovative
investigative programs to combat vulnerabilities of electronic
financial transactions and, as an arm of the Treasury, help sustain a
liaison with the banking and finance organizations to assess and
address vulnerabilities. To meet this challenge, the Secret Service has
permanently assigned representatives to the Critical Infrastructure
Assurance Office, NIPC, the Computer Emergency Response Team
Coordination Center at Carnegie Mellon, the Office of Homeland
Security, and the White House Office of Critical Infrastructure
Protection. The Secret Service provides input into the national CIP
plan through its representatives in these organizations. The Secret
Service has also initiated a nationwide network of Electronic Crimes
Task Forces, as mandated by the USA PATRIOT Act. These task forces,
which will bring law enforcement, academia, and the private sector
together, have been designated to provide a systemic and proactive
approach to preventing cyber-based crimes. Regarding physical CIP, the
Secret Service helps secure national special security events (e.g., the
Olympics).
Office of the Comptroller of the Currency:
OCC helps protect the nation‘s cyber critical infrastructure by
chartering, regulating, and supervising national banks to ensure that
the banking systems are safe and competitive. To accomplish its goals,
OCC approves and denies applications for new national bank charters;
examines national banks and other entities subject to its supervision;
takes supervisory action against banks that do not comply with laws and
regulations; and issues rules, regulations, and supervisory guidance
governing a wide spectrum of bank activities, including those relating
to investments and lending. The office also participates in the efforts
of the FBIIC.
Office of Thrift Supervision:
OTS, a Treasury bureau, is the primary regulator of all federal and
many state-chartered thrift institutions, which include savings banks
and savings and loan associations. Representatives of the OTS are
members of the FBIIC.
[End of section]
Appendix III: Components of Executive Departments or Agencies and Their
Primary Activities Related to Cyber CIP:
Table 4: Executive Department or Agency Components and Their Primary
Activities Related to Cyber CIP:
Organization: Federal Advisory Committees:
Organization: National Infrastructure Advisory Council; Policy
development: [Check];
Analysis& warning: [Empty];
Compliance: [Empty];
Response& recovery: [Empty];
Research & development: [Empty].
Organization: President‘s Council of Advisors on Science and
Technology;
Policy development: [Check];
Analysis& warning: [Empty];
Compliance: [Empty];
Response& recovery: [Empty];
Research &development: [Empty].
Organization: President‘s National Security Telecommunications
Advisory Committee;
Policy development: [Check];
Analysis& warning: [Empty];
Compliance: [Empty];
Response& recovery: [Empty];
Research &development: [Empty].
Organization: President‘s Information Technology Advisory Committee;
Policy development: [Check];
Analysis& warning: [Empty];
Compliance: [Empty];
Response& recovery: [Empty];
Research &development: [Empty].
Organization: National Science and Technology Council;
Policy development: [Check];
Analysis& warning: [Empty];
Compliance: [Empty];
Response& recovery: [Empty];
Research &development: [Empty].
Organization: Executive Office of the President;
Policy development: [Empty];
Analysis& warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Homeland Security;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Security Council;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Science and Technology Policy;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Check];
Research & development: [Empty].
Organization: National Economic Council;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Management and Budget;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: President‘s Critical Infrastructure Protection Board;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Chief Information Officers Council;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Communications System;
Policy development: [Check];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Check];
Research & development: [Empty].
Organization: Federal Communications Commission;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: U.S. Department of Commerce;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Critical Infrastructure Assurance Office;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Institute of Standards and Technology;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Check].
Organization: National Information Assurance Partnership;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Check].
Organization: National Telecommunications and Information
Administration;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: U.S. Department of Defense;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Joint Staff;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of the Assistant Secretary of Defense, Command,
Control, Communications, and Intelligence;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Defense Advanced Research Projects Agency;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Check].
Organization: Defense Threat Reduction Agency;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Check].
Organization: National Security Agency;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Defense Intelligence Agency;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Joint Task Force - Computer Network Operations;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Director of Central Intelligence;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Central Intelligence Agency;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Intelligence Council;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Foreign Intelligence Board;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: U.S. Department of Energy;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Energy Assurance;
Policy development: [Check];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Laboratories; Policy
development: [Empty];
Analysis& warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Check].
Organization: U.S. Department of Justice;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Computer Crime and Intellectual Property Section;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: National Infrastructure Protection Center;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Check];
Response & recovery: [Check];
Research & development: [Check].
Organization: National Counter Intelligence Executive;
Policy development: [Check];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Cyber Crime Division;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: U.S. Department of Transportation;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Intelligence and Security;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Environmental Protection Agency;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Water;
Policy development: [Check];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Check];
Research & development: [Empty].
Organization: Federal Emergency Management; Agency;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of National Preparedness;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: United States Fire Administration;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of the Chief Information Officer and Information
Technology Services Directorate;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: U.S. General Services Administration;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Federal Computer Incident Response Center;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Acquisition Policy; Policy
development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Department of Health and Human Services;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Emergency Preparedness;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Check];
Research & development: [Empty].
Organization: National Science Foundation;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Check].
Organization: U.S. Department of State;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Bureau of Resource Management;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Bureau of Diplomatic Security;
Policy development: [Empty];
Analysis & warning: [Check];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Bureau of Political-Military Affairs;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Bureau of International Narcotics and Law Enforcement;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Bureau of Economic and Business Affairs;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: U.S. Department of the Treasury;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Financial Institutions;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Empty];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: United States Secret Service;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Check].
Organization: Office of the Comptroller of the Currency;
Policy development: [Check];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
Organization: Office of Thrift Supervision;
Policy development: [Empty];
Analysis & warning: [Empty];
Compliance: [Check];
Response & recovery: [Empty];
Research & development: [Empty].
[End of table]
[End of section]
Appendix IV: Comments from the Department of Justice:
U. S. Department of Justice:
Washington, DC 20530:
May 31, 2002:
Joel C. Willemssen:
Managing Director:
Information Technology Issues:
U.S. General Accounting Office:
441 G Street, NW:
Washington, D.C.
Dear Mr. Willemssen:
On May 17, 2002, the General Accounting Office (GAO) provided the
Department of Justice (DOJ) copies of its draft report ’Critical
Infrastructure Protection: Federal Efforts Require a More Coordinated
and Comprehensive Approach for Protecting Information Systems.“ The
draft was reviewed by representatives of the Criminal Division and the
Federal Bureau of Investigation. The DOJ generally concurs with the
report and is providing the enclosed minor comments for your
consideration and understand that they will be incorporated as
appropriate.
I hope the comments will be beneficial in completing the final
document. If you have any questions concerning any of the Department‘s
comments (technical or formal) you may contact me on (202) 514-0469.
Sincerely,
Vickie L. Sloan:
Director, Audit Liaison Office:
Justice Management Division:
Signed by Vickie L. Sloan:
Enclosure:
[End of section]
Appendix V: Comments from the Special Advisor to the President for
Cyberspace Security:
The White House Washington:
June 7, 2002:
Joel C. Willemssen:
Managing Director, Information Technology Issues:
U.S. General Accounting Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Willemssen:
Thank you for providing me an opportunity to review and comment on the
draft GAO report entitled ’Critical Infrastructure Protection: Federal
Efforts Require a more Coordinated and Comprehensive Approach for
Protecting Information Systems“ (GAO-02-474). Coordinating federal
critical infrastructure protection (CIP) efforts is a complex and
crucial endeavor. In October 2001, the Administration issued Executive
Order 13231 creating the President‘s Critical Infrastructure Protection
Board. Composed of senior federal officials, the Board coordinates
cybersecurity efforts including aligning roles and responsibilities of
the federal departments and agencies.
Your report correctly observes that the risk of computer based attacks
is real and growing. However, the coordination of federal efforts is
only a small part of the overall challenge of infrastructure
protection. The majority of the computing power in the U.S., which is
vulnerable to attack or could be comprised and used to launch attacks
against the nation‘s critical infrastructures, is not owned and
operated by the federal government; it is owned and operated by private
companies (large and small), universities, state and local governments
and home users. This presents a unique strategic challenge.
As Chair of the Board, I am coordinating a national strategy on cyber
security. The strategy will address a broad spectrum challenges related
to cyber security including those faced by federal, state and local
governments, as well as, private companies, infrastructure operators
and home users.
Sincerely,
Richard A. Clarke:
Special Advisor to the President for Cyberspace Security Chairman,
President‘s Infrastructure Protection Board:
Signed by Richard A. Clarke:
[End of section]
Appendix VI: Comments from the Office of Science and Technology Policy:
Executive Office Of The President Office Of Science And Technology
Policy:
Washington, D.C. 20502:
June 4, 2002:
Memorandum For Joel C. Willemssen:
Managing Director, Information Technology Issues:
General Accounting Office:
From: Shana Dale V:
Chief Of Staff And General Counsel:
Subject: OSTP Technical Corrections to GAO-02-474:
The following are technical corrections to the General Accounting
Office‘s proposed report entitled, ’Critical Infrastructure
Protection: Federal Efforts Require a More Coordinated and
Comprehensive Approach for Protecting Information Systems.“
1) Section entitled, ’Relationships Among Cyber CIP Organizations Are
Not Consistently Established,“ paragraph 2, delete sentence 4, ’Of the
organizations with research and development functions, none mentioned
the Office of Science and Technology Policy, who was designated the
lead coordinator for research and development in both PDD 63 and
Executive Order 13231.“
Comment: OSTP has exercised its coordination authority for CIP over the
past five years with those organizations that have research and
development (R&D) functions through regular senior level interagency
meetings.
Beginning in March 1998, the National Science and Technology Council
formed a Critical Infrastructure Protection Research and Development
Interagency Working Group (CIP R&D IWG) under the joint oversight of
the Committee on National Security and the Committee on Technology.
This CIP R&D IWG, led by OSTP, was established to develop and to
sustain a coherent roadmap on technologies that, if implemented within
critical national infrastructure sectors, would reduce vulnerabilities
and counter threats that could cause major damage to the security,
economic vitality, and social well-being of the United States. As a
result of PDD-63, the IWG‘s charter was expanded to develop a process
of ongoing R&D planning and appraisal, as well as to provide
appropriate R&D support to the Critical Infrastructure Coordinating
Group and the national coordinator.
On October 16, 2001, Executive Order 13231 established a standing
committee for research and development (CR&D), chaired by OSTP, to
coordinate a program of Federal Government R&D for protection of
information systems for critical infrastructure, including emergency
preparedness communications and the physical assets that support such
systems, and to ensure coordination of government activities in this
field with corporations, universities, federally funded research
centers, and national laboratories.
The CR&D created under Executive Order 13231 consists of a committee of
principals with senior R&D leadership from across departments and
agencies. Supporting the CR&D principals is a working level
subcommittee with representatives designated by principals from each of
the departments and agencies. The committee of principals meets on a
quarterly basis, and the subcommittee meets twice monthly. It is
inaccurate to imply that consultations are not occurring with the
agencies.
2) Appendix II, Executive Office of the President, Office of Science
and Technology Policy, paragraph 2, should be modified as follows:
The Technology Division is responsible for all of OSTP‘s activities in
the areas of national security an emergency-preparedness
telecommunications; the NCS; NSTAC, continuity of government
programs; and infrastructure protection programs; and works closely
with the Science technology division Division on national issues
security issues. The OSTP Assistant Director for Homeland and
National Security fills the post of Senior Director for Research and
Development within the Office of Homeland Security. OSTP has official
responsibilities for protecting the domestic infrastructure deriving
both from statute and executive order. As a result, OSTP coordinates
between the military and nonmilitary sectors within the government,
between the technical and the policy-making communities, and between
the federal government and state and local governments.
3) Appendix III, Components of Executive Departments or Agencies and
their Primary Activities Related to Cyber CIP, Executive Office of the
President, Office of Science and Technology Policy, should include a
check mark in the ’Response and recovery“ field. (Executive Order
12472, Section 2.)
4) Figure 3: Overview of National or Multi-agency Federal Cyber CIP
Organizations, Office of Science and Technology Policy, should include
Response and Recovery coloring in addition to Research and Development.
(Executive Order 12472, Section 2.)
[End of section]
Appendix VII: Comments from the Federal Emergency Management Agency:
Federal Emergency Management Agency:
Washington, D.C. 20472:
June 13, 2002:
Mr. Joel Willemssen:
General Accounting Office:
441 G Street, NW
Washington, DC 20548:
Dear Mr. Willemssen:
FEMA has reviewed General Accounting Office (GAO) Draft Report
entitled, Critical Infrastructure Protection: Federal Efforts Require a
More Coordinated and Comprehensive Approach for Protecting Information
Systems, GSA-02-474, dated July 2002.
We believe the report, as written does not incorporate the FEMA
Critical Infrastructure Protection (CIP) efforts that were approved by
Director Joe Allbaugh and submitted to the White House. The current
document dilutes the accurate reporting of the Agency‘s CIP structure
and mission. Please substitute the enclosed text for the FEMA portion
of your report, page 64.
The report lists and describes the activities of the Office of National
Preparedness; Readiness, Response, and Recovery Directorate; and the
U.S. Fire Administration as the components of FEMA with activities
related to cyber Critical Infrastructure Protection. FEMA‘s Office of
the CIO/Information Technology Services Directorate should be added to
that list. Relevant additions are incorporated in the text of the
enclosure. The following changes are also required:
1. Figure 4, page 21, should be amended to incorporate the following
under ’Federal Emergency Management Agency“: Office of the CIO/
Information Technology Services Directorate.
2. On page 76, Appendix III, ’Components of Executive Departments or
Agencies and their Primary Activities Related to Cyber CIP,“ the table
should be modified under ’Federal Emergency Management Agency“ to
include an entry, ’Information Technology Services Directorate,“ with a
checkmark under Policy Development.
Thank you for the opportunity to review on this report. Our points of
contact are Michael Mosteller, ONP, 202-646-4312, and Steve Schmidt,
Office of Cyber Security. 540-542-3343.
Sincerely,
Michael D. Brown:
Chief Operating Officer/General Counsel:
Signed by Michael D. Brown:
Attachment:
[End of section]
Appendix VIII: Comments from the Department of State:
United States Department of State:
Washington, D.C. 20520:
June 11 2002:
Dear Ms. Westin:
We appreciate the opportunity to review your draft report, ’Critical
Infrastructure Protection: Federal Efforts Require a More Coordinated
and Comprehensive Approach for Protecting Information System,“ GAO-02-
474, GAO Job Code 310141.
The Department‘s comments are enclosed for incorporation, along with
this letter, as an appendix to the GAO final report.
If you have any questions regarding this response, please contact
Hunter Ledbetter, Office of Intelligence Resources and Planning, Bureau
of Resource Management on (202) 647-7231.
Sincerely,
Christopher B. Burnham:
Assistant Secretary and Chief Financial Officer:
Signed by Christopher B. Burnham:
Enclosure:
As stated.
cc: GAO/IT - Mr. Willemssen State/OIG - Mr. Berman State/RM - Mr.
Kaplan:
Ms. Susan S. Westin, Managing Director, International Affairs and
Trade, U.S. General Accounting Office.
GAO Report Revisions:
U.S. Department of State:
The Department of State (DOS) advises the President on foreign policy
and relations. Accordingly, PDD 63 assigned DOS as the lead for the
special function of foreign affairs. Executive Order 13231 assigned the
Secretary of State or his designee to the President‘s CIP Board, on
which State serves as Chair of the International Affairs Committee.
According to DOS documents and officials, there are currently three
bureaus within the DOS charged with institutional CIP protection and
three others focused primarily on international outreach and
coordination involving CIP. These include:
* the Bureau of Resource Management (RM):
* the Bureau of Diplomatic Security (DS):
* the Bureau of Information Management (IRM):
* the Bureau of Political - Military Affairs (PM):
* the Bureau of International Narcotics and Law Enforcement (INL):
* the Bureau of Economic and Business Affairs (EB):
Bureau of Resource Management (RM):
The Assistant Secretary for Resource Management is responsible for
managing the formal Department-wide CIP Program plan by serving as
Chair of the Department‘s Critical Infrastructure Protection Governance
Board. The Governance Board facilitates the decision making process on
policy and priorities relating to CIP within the Department. In
addition, the RM bureau is responsible for ensuring that the formal
Department-wide CIP Program is managed and resource-loaded over a
multi-year planning period to achieve the CIP objectives of PDD-63 for
both domestic and overseas operations.
Bureau of Diplomatic Security (DS):
The Assistant Secretary for Diplomatic Security is the Department‘s
Chief Infrastructure Assurance Officer (CIAO) who oversees the
protection of all other aspects of the Department‘s critical
infrastructure. The DS bureau provides a secure environment for
conducting American diplomacy and promoting American interest
worldwide. Regarding CIP, DS develops and maintains effective security
programs for every U.S. embassy and consulate abroad.
Bureau of Information Resource Management (IRM):
IRM ensures availability of Information Technology systems and
operations, including IT contingency planning, to support the
Department‘s diplomatic, consular, and management operations; it is
also the authority for the Department‘s computer security programs.
Bureau of Political - Military Affairs (PM):
Executive Order 13231 assigned PM responsibility for the international
CIP outreach program. PM‘s Assistant Secretary serves as State‘s
alternate representative on the President‘s CIP Board and Chair of the
Board‘s International Affairs Committee. In this context, PM is
responsible for coordinating and implementing intradepartmental and
interagency policy to promote international cooperation on CIP issues.
Bureau of International Narcotics and Law Enforcement (INL):
The INL bureau has specific responsibility for CIP-related issues
involving criminal misuse of information technology (e.g. cyber-crime).
INL also coordinates and funds the response of federal law enforcement
to requests for training and technical assistance from foreign
partners, including assistance in fighting high tech crime, an
important subset of protecting critical networked systems.
Bureau for Economic and Business Affairs (EB):
The EB bureau is responsible for CIP-related issues in multilateral
economic organizations such as the Organization for Economic
Cooperation and Development (OECD), and the Asia Pacific Economic
Cooperation forum (APEC). In such fora, the EB bureau works to develop
internationally-accepted information technology security standards and
best practices, and to ensure that government information security
regimes include input from private stockholders.
[End of section]
Appendix IX: GAO Contact and Staff Acknowledgments:
GAO Contact:
Dave Powner (303) 572-7316:
Acknowledgments:
Contributors to this report include Sandra Edwards, Michael Gilmore,
Sophia Harrison, Catherine Schweitzer, Jamelyn Smith, and Eric Winter.
[End of section]
Footnotes:
[1] U.S. General Accounting Office, High-Risk Series: Information
Management and Technology, GAO/HR-97-9 (Washington, D.C.: Feb. 1,
1997); High-Risk Series: An Update, GAO/HR-99-1 (Washington, D.C.:
January 1999); High-Risk Series: An Update, GAO-01-263 (Washington,
D.C.: January. 2001).
[2] President‘s Commission on Critical Infrastructure Protection,
Critical Foundations: Protecting America‘s Infrastructures
(Washington, D.C.: October 1997).
[3] The CERT® Coordination Center is a center of Internet security
expertise located at the Software Engineering Institute, a federally
funded research and development center operated by Carnegie Mellon
University.
[4] Executive Order 13231 replaces this council with the National
Infrastructure Advisory Council.
[5] U.S. General Accounting Office, Combating Terrorism: Selected
Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.:
Sept. 20, 2001).
[6] The White House, Defending America‘s Cyberspace: National Plan for
Information Systems Protection: Version 1.0: An Invitation to a
Dialogue (Washington, D.C.: 2000).
[7] U.S. General Accounting Office, Information Security: Opportunities
for Improved OMB Oversight of Agency Practices., GAO/AIMD-96-110
(Washington, D.C.: Sept. 24, 1996).
[8] U.S. General Accounting Office, Information Security: Serious
Weaknesses Place Critical Federal Operations and Assets at Risk, GAO/
AIMD-98-92 (Washington, D.C.: Sept. 23, 1998); Information Security:
Serious and Widespread Weaknesses Persist at Federal Agencies, GAO/
AIMD-00-295 (Washington, D.C.: Sept. 6, 2000); Information Security:
Additional Actions Needed to Fully Implement Reform Legislation, GAO-
02-470T (Washington, D.C.: Mar. 6, 2002).
[9] GAO/HR-97-9, Feb. 1,1997; GAO-01-263, January 2001.
[10] Title X, Subtitle G--Government Information Security Reform, Floyd
D. Spence National Defense Authorization Act for Fiscal Year 2001, P.L.
106-398 (Oct. 30, 2000).
[11] GAO-02-470T, Mar. 6, 2002.
[12] The Department of Commerce‘s CIAO established Project Matrix to
provide a standard methodology for identifying all assets, nodes,
networks, and associated infrastructure dependencies and
interdependencies required for the federal government to fulfill its
national security, economic stability, and critical public health and
safety responsibilities to the American people.
[13] These are the Departments of Commerce, Defense, Energy, Justice,
Transportation, Health and Human Services, State, and Treasury; and the
Environmental Protection Agency, the Federal Emergency Management
Agency, the General Services Administration, and the National Science
Foundation.
[14] Figure 4 displays the five general CIP activities according to a
color-coded legend. Appendix III provides an alternative (table format)
for black and white printing.
[15] U.S. General Accounting Office, Critical Infrastructure
Protection: Significant Challenges in Developing National
Capabilities, GAO-01-323 (Washington, D.C.: Apr. 25, 2001).
[16] GAO/AIMD-98-92, Washington, D.C.: Sept. 23, 1998.
[17] U.S. General Accounting Office, Critical Infrastructure
Protection: Challenges to Building a Comprehensive Strategy for
Information Sharing and Coordination, GAOT/AIMD-00-268 (Washington,
D.C.: July 26, 2000).
[18] GAO-01-822, Washington, D.C.: Sept. 20, 2001.
[19] Securing the Homeland, Strengthening the Nation, February 2002.
[20] OMB collects this information for the Annual Report on Combating
Terrorism as required by P.L. 105-85. By OMB‘s definition, CIP
encompasses the potential threat from equipment failure, human error,
weather and natural disasters, and criminal as well as terrorist
attacks.
[21] Congressional Research Service, Critical Infrastructures:
Background, Policy, and Implementation, Updated February 4, 2002.
[22] These departments or agencies are the Departments of Agriculture,
Education, Housing and Urban Development, Interior, Labor, and Veterans
Affairs, the U.S. Agency for International Development, the National
Aeronautics and Space Administration, and the Nuclear Regulatory
Commission.
[End of section]
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site (www.gao.gov) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select ’Subscribe to daily E-mail alert for newly
released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800
U.S. General Accounting Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
